CVE-2026-40376: Visual Studio Code Elevation of Privilege Vulnerability
Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.123.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an improper input validation vulnerability in Visual Studio Code that allows an unauthenticated remote attacker to elevate privileges. The exploit is reachable over a network, requires no authentication, but does need the victim to take some action, and involves high attack complexity. Successful exploitation gives the attacker full read, write, and availability impact on the affected system. A patched-image rebuild at version 1.123.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment. CVE-2026-40376 is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle Visual Studio Code or its components.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Visual Studio Code 1.123.2 is available on HarborGuard for any environment found running an affected version (1.0.0 through 1.123.1). For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the vulnerable Visual Studio Code instance over the network; this is not a locally-only accessible attack surface.
- AuthenticationNot required
No credentials or prior account access are needed; the attacker can initiate the exploit as an unauthenticated party.
- Victim interactionRequired
A user of the affected VS Code instance must take some action (such as opening a malicious file or following a crafted link) for the exploit to succeed.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account for race conditions, specific environmental factors, or other conditions not fully under their control.
Blast Radius
- A successful attacker reads sensitive data accessible to the VS Code process, including workspace files, stored credentials, and tokens.
- The attacker can write or modify files and configuration on the affected host with the privileges of the elevated context.
- The attacker can disrupt or crash the affected VS Code instance and potentially dependent services running in the same environment.
- Privilege elevation means the attacker may pivot beyond the initial process boundary to affect the broader host or container environment.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-40376 is active across all customer environments, with matching against images that include Visual Studio Code versions from 1.0.0 up to 1.123.1. For environments where an affected version is found, a rebuilt image at version 1.123.2 is ready for deployment. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, executes a regression run against the new image, and opens a patch PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the rebuilt image and findings are surfaced in the HarborGuard dashboard for manual review and promotion.
- Microsoft / Visual Studio Code< 1.123.2 (from 1.0.0)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C