Cyber Resilience

CVE-2026-21523

High

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21523 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-21523 is a time-of-check time-of-use (TOCTOU) race condition vulnerability, classified under CWE-367, affecting GitHub Copilot and Visual Studio. Published on 2026-02-10, it has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An authorized attacker with low privileges can exploit this vulnerability over a network by triggering the race condition, which requires user interaction. Successful exploitation allows arbitrary code execution on the affected system.

Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21523 provides details on mitigation and patching guidance for the affected components.

EU & UK References

Vulnerability details

Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: github copilot

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

TOCTOU race condition in client-side IDE/tool (VS/Copilot) directly enables arbitrary code execution via exploitation of the client application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21518Same product: Microsoft Visual Studio Code
CVE-2026-41611Same product: Microsoft Visual Studio Code
CVE-2026-41109Same product: Microsoft Visual Studio Code
CVE-2025-26631Same product: Microsoft Visual Studio Code
CVE-2026-41613Same product: Microsoft Visual Studio Code
CVE-2025-24042Same product: Microsoft Visual Studio Code
CVE-2025-24039Same product: Microsoft Visual Studio Code
CVE-2026-21510Same vendor: Microsoft
CVE-2025-21339Same vendor: Microsoft
CVE-2025-21407Same vendor: Microsoft

Affected Assets

microsoft
visual studio code
≤ 1.109.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the TOCTOU race condition by requiring identification, testing, and installation of patches for the specific vulnerability in GitHub Copilot and Visual Studio.

prevent

Protects against arbitrary code execution resulting from TOCTOU exploitation through memory protections such as DEP, ASLR, and sandboxing.

preventdetect

Monitors software execution and performs integrity checks to detect and prevent unauthorized code execution or modifications enabled by the race condition.

References