CVE-2019-1414 — Visual Studio Code Elevation of Privilege Vulnerability

Executive Summary

An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer. A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, a local attacker would need to determine which port Visual Studio Code is listening on for a targeted user. The update address the vulnerability by modifying the way Visual Studio Code enables debug ports.

Overview

Important

MS Severity

Not Exploited

MS Exploit Status

Not Found

MS Exploit Likelihood

Category Elevation of Privilege

Released Oct 8 2019

Last Updated Oct 8 2019

Publicly Disclosed No

CISA KEV Not Listed

Known Exploits None Known

EPSS Score 0.01045 — 0.59666 percentile

EPSS Score

0.01045

probability of exploitation in the next 30 days

0.59666 percentile - updated 2026-06-20

View on FIRST.org

Affected Products

1 affected product

Product	KB Article	Severity	Impact	Restart Required
Visual Studio Code	`Release Notes (Security Update)`	Important	Elevation of Privilege	Maybe

Patches

1 patch

Article	Type	Restart
`Release Notes`	Security Update	Maybe

Known Exploits

No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.

Acknowledgments

Francesco Soncina, Tavis Ormandy of Google Project Zero

References

MSRC Advisory MITRE NVD