Cyber Resilience

CVE-2025-26631

High

Published: 11 March 2025

Published
11 March 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0033 56.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26631 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-26631 is an uncontrolled search path element vulnerability, classified under CWE-427, affecting Visual Studio Code. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability.

A local attacker with low privileges can exploit this vulnerability by leveraging the uncontrolled search path, provided they induce user interaction. Successful exploitation allows privilege escalation on the affected system.

Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26631 provides details on mitigation and patching for this vulnerability.

EU & UK References

Vulnerability details

Uncontrolled search path element in Visual Studio Code allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Why these techniques?

Uncontrolled search path element (CWE-427) directly enables DLL Search Order Hijacking to achieve local privilege escalation with user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24039Same product: Microsoft Visual Studio Code
CVE-2026-41613Same product: Microsoft Visual Studio Code
CVE-2026-41611Same product: Microsoft Visual Studio Code
CVE-2025-24042Same product: Microsoft Visual Studio Code
CVE-2026-21518Same product: Microsoft Visual Studio Code
CVE-2025-24998Same vendor: Microsoft
CVE-2026-41109Same product: Microsoft Visual Studio Code
CVE-2026-21523Same product: Microsoft Visual Studio Code
CVE-2025-25003Same vendor: Microsoft
CVE-2026-32172Same vendor: Microsoft

Affected Assets

microsoft
visual studio code
≤ 1.98.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the uncontrolled search path vulnerability in Visual Studio Code by requiring timely flaw remediation through patching as per Microsoft's update guide.

prevent

Limits the impact of local privilege escalation by enforcing least privilege for users and processes, reducing what an attacker can achieve upon exploitation.

prevent

Addresses user-installed software like Visual Studio Code by establishing policies to restrict or approve installations, preventing deployment of vulnerable versions.

References