CVE-2025-26631

High

Published: 11 March 2025

Published

11 March 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0033 55.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26631 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL (T1574.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the uncontrolled search path vulnerability in Visual Studio Code by requiring timely flaw remediation through patching as per Microsoft's update guide.

AC-6 Least Privilege partial match

prevent

Limits the impact of local privilege escalation by enforcing least privilege for users and processes, reducing what an attacker can achieve upon exploitation.

CM-11 User-installed Software partial match

prevent

Addresses user-installed software like Visual Studio Code by establishing policies to restrict or approve installations, preventing deployment of vulnerable versions.

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.

attack.mitre.org →

Why these techniques?

Uncontrolled search path element (CWE-427) directly enables DLL Search Order Hijacking to achieve local privilege escalation with user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Uncontrolled search path element in Visual Studio Code allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2025-26631 is an uncontrolled search path element vulnerability, classified under CWE-427, affecting Visual Studio Code. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability.

A local attacker with low privileges can exploit this vulnerability by leveraging the uncontrolled search path, provided they induce user interaction. Successful exploitation allows privilege escalation on the affected system.

Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26631 provides details on mitigation and patching for this vulnerability.

Details

CWE(s): CWE-427

Affected Products

microsoft

visual studio code

≤ 1.98.0

CVEs Like This One

CVE-2025-24039Same product: Microsoft Visual Studio Code

CVE-2025-24042Same product: Microsoft Visual Studio Code

CVE-2026-21518Same product: Microsoft Visual Studio Code

CVE-2025-24998Same vendor: Microsoft

CVE-2026-21523Same product: Microsoft Visual Studio Code

CVE-2025-25003Same vendor: Microsoft

CVE-2026-32172Same vendor: Microsoft

CVE-2025-21206Same vendor: Microsoft

CVE-2023-53959Shared CWE-427

CVE-2025-33229Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26631
Vendor Advisory · secure@microsoft.com