Changeflow GovPing Data Privacy & Cybersecurity WinFsp Vulnerability CVE-2026-3006 Requires Imm...
Priority review Notice Added Final

WinFsp Vulnerability CVE-2026-3006 Requires Immediate Update

Favicon for www.csa.gov.sg CSA Alerts & Advisories (Singapore)
Published
Detected
Email

Summary

CSA has issued CVE ID CVE-2026-3006 to a vulnerability reported in WinFsp, an open-source system software. The vulnerability is a race condition affecting WinFsp versions 2.1.25156 and lower. Successful exploitation could allow an attacker to trigger a kernel heap overflow, potentially leading to local privilege escalation and granting system-level access. The Product Owner has released security update v2.2B1 to address it.

“Successful exploitation of the race condition vulnerability could allow an attacker to trigger a kernel heap overflow, potentially leading to local privilege escalation and granting system-level access to the affected software.”

CSA , verbatim from source
Why this matters

Organizations running WinFsp on Windows systems should verify their installed version and update to v2.2B1 or later without delay. Given the kernel-level access possible through this race condition vulnerability, organizations should treat this as an urgent patching priority regardless of other scheduled update cycles.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CSA on csa.gov.sg . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

The Cyber Security Agency of Singapore is the country's lead cybersecurity authority. Their alerts and advisories page publishes vulnerability notifications, active exploitation warnings, and remediation guidance with a focus on software widely used across ASEAN enterprise: financial services, telecoms, healthcare, government. Around 30 advisories a month, each with CVE references, severity, and patching steps. CSA tends to publish faster than CISA on vulnerabilities affecting Asian-headquartered vendors and is the authoritative voice for Singapore-licensed financial institutions under the MAS Technology Risk Management framework. Watch this if you run security in Asia-Pacific, advise MAS-regulated firms, or track regional CVE coverage. GovPing publishes each advisory with affected vendor, CVE, and original CSA link.

View original document View source feed page

What changed

CSA issued a vulnerability disclosure (CVE-2026-3006) for WinFsp, an open-source system software. The vulnerability is a race condition affecting WinFsp versions 2.1.25156 and lower. Successful exploitation could allow an attacker to trigger a kernel heap overflow, potentially leading to local privilege escalation and granting system-level access to affected software.\n\nOrganizations and administrators using WinFsp should immediately update to version 2.2B1 or the latest available version to mitigate the risk of local privilege escalation attacks.

What to do next

  1. Update to the latest version immediately

Archived snapshot

Apr 27, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Alerts

Vulnerability in Windows File System Proxy (WinFsp)

27 April 2026

CSA has issued a CVE ID to a vulnerability reported in WinFsp as part of CSA’s Responsible Vulnerability Disclosure Policy. Users and administrators of the affected product version are advised to update to the latest version immediately.

Background

CSA has issued a CVE ID (CVE-2026-3006) to a vulnerability reported in WinFsp, an open-source system software. The Product Owner of WinFsp has released a security update to address it.

Impact

Successful exploitation of the race condition vulnerability could allow an attacker to trigger a kernel heap overflow, potentially leading to local privilege escalation and granting system-level access to the affected software.

Affected Products

The vulnerability affects WinFsp versions 2.1.25156 and lower.

Mitigation

Users and administrators of affected product versions are advised to update to the latest version immediately.

Special Thanks to:

  • Informer: Mr Tay Kiat Loong
  • Product Owner: WinFsp References

https://github.com/winfsp/winfsp/releases/tag/v2.2B1

Parties

WinFsp

Related changes

Favicon for www.csa.gov.sg Notepad++ Vulnerability CVE-2026-3008 Issued, Update Now
Priority review Apr 27, 2026 CSA Alerts & Advisories (Singapore) Data Privacy & Cybersecurity
Favicon for www.ema.gov.sg How EMA Protects Singapore's Power System from Cyber Threats
Routine Apr 23, 2026 Singapore EMA News Energy
Favicon for nssc.novascotia.ca CSA Final Amendments Lower Trading Fee Cap to CAD $0.0017
Priority review Apr 24, 2026 Nova Scotia Securities Commission Securities & Markets

Get daily alerts for CSA Alerts & Advisories (Singapore)

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.csa.gov.sg
CSA Alerts & Advisories (Singapore) csa.gov.sg/alerts-advisories
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CSA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CSA
Published
April 27th, 2026
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies Manufacturers
Industry sector
5112 Software & Technology
Activity scope
Software vulnerability disclosure Kernel security patching System software updates
Geographic scope
Singapore SG

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Intellectual Property

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 509 Consumer Protection 141 Courts & Legal 633 Data Privacy & Cybersecurity 152 Defense & National Security 52 Education 64 Energy 135 Environment 170 Gaming 2 Government & Legislation 524 Healthcare 15 Healthcare & Life Sciences 403 Immigration 11 Insurance 90 Labor & Employment 196 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 177 Tax 118 Telecom & Technology 57 Trade & Sanctions 168 Transportation 132

Get alerts for this source

We'll email you when CSA Alerts & Advisories (Singapore) publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!