CVE-2026-21523

Published Feb 10, 2026

Last updated a month ago

CVSS high 8.0

Overview

Description
Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
visual_studio_code

Risk scores

CVSS 3.1

Type
Primary
Base score
8
Impact score
5.9
Exploitability score
2.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-367

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.CVE-2026-21518
  2. Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network.CVE-2025-64660
  3. Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally.CVE-2025-62453
  4. Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network.CVE-2025-55319
  5. Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.CVE-2025-21264

References

Sources include official advisories and independent security research.