- Product: WinFSP, WinFsp
- Vulnerabilities: 2 flaws (CVE-2026-3006, CVE-2026-7162)
- Highest severity: 7.8 (High · CVSSv3)
- Worst impact: Successful exploitation of the integer overflow vulnerability could allow an attacker to achieve...
- Status: No confirmed exploitation yet
- Action: See vendor advisories
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-7162 | 7.8 | CWE-190 | Not exploited |
| CVE-2026-3006 | 7.0 | CWE-362 | Not exploited |
TL;DR
The WinFsp project has fixed two WinFsp vulnerabilities, CVE-2026-3006 (CVSS 7.0) and CVE-2026-7162 (CVSS 7.8). Both flaws could hand a local attacker system-level access on Windows machines running the file system driver. The fixes ship in the WinFsp 2026 Beta2 release.
Why It Matters
WinFsp, short for Windows File System Proxy, brings FUSE-style custom file systems to Windows. Many popular tools bundle it, including cloud storage mounters and remote file system clients. As a result, these WinFsp vulnerabilities may sit quietly inside software that users never associate with a kernel driver. A low-privileged attacker who exploits either flaw could gain SYSTEM rights on the host.
How the Attack Works
CVE-2026-3006: Race Condition
Security researcher Tay Kiat Loong (@Owl4444) discovered this race condition in the kernel component. Winning the timing window triggers a kernel heap overflow. From there, an attacker could escalate from a low-integrity process to SYSTEM. Singapore’s Cyber Security Agency (CSA) issued the CVE under its responsible disclosure program.
CVE-2026-7162: Integer Overflow
Tay Kiat Loong and researcher uhg (@UltimateHG) reported this integer overflow. Successful exploitation could likewise grant system-level access to the affected software.
Affected Versions
According to the CSA advisory, CVE-2026-3006 affects WinFsp versions 2.1.25156 and lower. Both flaws are resolved in the WinFsp 2026 Beta releases.
Exploitation Status
Neither the project changelog nor the CSA advisory confirms in-the-wild exploitation or a public proof-of-concept. No such activity has been confirmed at this time.
Patch and Mitigation
Users and vendors that embed WinFsp should update to WinFsp 2026 Beta2 (v2.2B2) or later. The project has since published Beta3, which also carries both fixes. Administrators should check bundled tools for embedded WinFsp drivers and apply vendor updates promptly.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.