WinFSP 2.1.25156 or lower Kernel Heap Overflow Local Priv Esc
CVE-2026-3006 Published on April 27, 2026

Race Condition Vulnerability
Successful exploitation of the race condition vulnerability could allow an attacker to trigger a kernel heap overflow, potentially leading to local privilege escalation and granting system-level access to the affected software.

NVD

Vulnerability Analysis

CVE-2026-3006 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Race Condition Vulnerability?

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

CVE-2026-3006 has been classified to as a Race Condition vulnerability or weakness.

Context Switching Race Condition

A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch. This is commonly seen in web browser vulnerabilities in which the attacker can perform certain actions while the browser is transitioning from a trusted to an untrusted domain, or vice versa, and the browser performs the actions on one domain using the trust level and resources of the other domain.


Products Associated with CVE-2026-3006

Want to know whenever a new CVE is published for Red Hat Acm? stack.watch will email you.

 

Affected Versions

WinFSP: Red Hat Advanced Cluster Management for Kubernetes 2:

Exploit Probability

EPSS
0.09%
Percentile
0.64%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.