CVE-2025-32726: Visual Studio Code Elevation of Privilege Vulnerability

Overview

Severity

Medium (CVSS 6.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Apr

Released

2025-04-08

Last Updated

2025-07-03

EPSS Score

0.74% (percentile: 73.0%)

Description

Improper access control in Visual Studio Code allows an authorized attacker to elevate privileges locally.

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could execute code in the context of another Visual Studio Code user on the vulnerable system. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and integrity (I:H), and some loss of availability (A:L). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could view sensitive information (Confidentiality) and modify code in the repo, (Integrity), and they might be able to interfere with availability of the code (Availability).

Affected Products (1)

Developer Tools

• Visual Studio Code

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/ivanlepies/">Ivan Lepies</a> with <a href="https://www.istrosec.com/">IstroSec s.r.o.</a>, <a href="https://kdsjzh.github.io/">Han Zheng</a> with <a href="https://hexhive.epfl.ch/">HexHive</a>

Revision History

• 2025-04-08: Information published.
• 2025-07-03: Added an acknowledgement. This is an informational change only.