CVE-2026-7791: CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in Amazon Workspaces
CVE-2026-7791 is a high-severity time-of-check to time-of-use (TOCTOU) race condition vulnerability in Amazon WorkSpaces for Windows versions prior to 2.6.2034.0. It affects the log rotation mechanism of the Skylight Workspace Config Service, allowing a local non-administrative authenticated user to bypass file system permission protections and place arbitrary files in arbitrary locations. Exploitation can lead to local privilege escalation to SYSTEM level. There are no known exploits in the wild and no confirmed patch or official remediation level provided in the available data. Users should consult the vendor advisory for the latest remediation guidance.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-7791) is a TOCTOU race condition in Amazon WorkSpaces for Windows affecting versions before 2.6.2034.0. The issue lies in the Skylight Workspace Config Service's log rotation mechanism, which improperly handles file system permissions during the check and use phases. This flaw allows a local authenticated user without administrative privileges to bypass these protections and place arbitrary files in arbitrary locations on the file system. Successful exploitation can result in local privilege escalation to SYSTEM level. The CVSS 3.1 base score is 7.8, indicating high severity. No known exploits are reported in the wild. The vendor has not provided an official remediation level or confirmed patch status in the available data. The advisory URL from AWS is provided for further updates.
Potential Impact
A local non-administrative authenticated user can exploit this TOCTOU race condition to bypass file system permission protections and place arbitrary files in arbitrary locations. This can lead to local privilege escalation to SYSTEM level, granting the attacker full control over the affected system. No known exploits have been observed in the wild to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://aws.amazon.com/security/security-bulletins/2026-025-aws/ for current remediation guidance. Until an official fix is available, users should follow any vendor recommendations and consider restricting local user access where possible to reduce risk.
CVE-2026-7791: CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in Amazon Workspaces
Description
CVE-2026-7791 is a high-severity time-of-check to time-of-use (TOCTOU) race condition vulnerability in Amazon WorkSpaces for Windows versions prior to 2.6.2034.0. It affects the log rotation mechanism of the Skylight Workspace Config Service, allowing a local non-administrative authenticated user to bypass file system permission protections and place arbitrary files in arbitrary locations. Exploitation can lead to local privilege escalation to SYSTEM level. There are no known exploits in the wild and no confirmed patch or official remediation level provided in the available data. Users should consult the vendor advisory for the latest remediation guidance.
CVSS v3.1
Score 7.8high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-7791) is a TOCTOU race condition in Amazon WorkSpaces for Windows affecting versions before 2.6.2034.0. The issue lies in the Skylight Workspace Config Service's log rotation mechanism, which improperly handles file system permissions during the check and use phases. This flaw allows a local authenticated user without administrative privileges to bypass these protections and place arbitrary files in arbitrary locations on the file system. Successful exploitation can result in local privilege escalation to SYSTEM level. The CVSS 3.1 base score is 7.8, indicating high severity. No known exploits are reported in the wild. The vendor has not provided an official remediation level or confirmed patch status in the available data. The advisory URL from AWS is provided for further updates.
Potential Impact
A local non-administrative authenticated user can exploit this TOCTOU race condition to bypass file system permission protections and place arbitrary files in arbitrary locations. This can lead to local privilege escalation to SYSTEM level, granting the attacker full control over the affected system. No known exploits have been observed in the wild to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://aws.amazon.com/security/security-bulletins/2026-025-aws/ for current remediation guidance. Until an official fix is available, users should follow any vendor recommendations and consider restricting local user access where possible to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-05-04T18:48:58.397Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://aws.amazon.com/security/security-bulletins/2026-025-aws/","vendor":"AWS"}]
Threat ID: 69f91c23cbff5d8610512c35
Added to database: 5/4/2026, 10:22:27 PM
Last enriched: 6/10/2026, 4:52:54 PM
Last updated: 6/18/2026, 4:33:26 AM
Views: 105
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.