CVE-2026-57973: Update WSL2 to 2.7.10 to Fix Data Tampering

Microsoft has issued a fix for CVE-2026-57973, a Windows Subsystem for Linux 2 vulnerability that could let a locally authorized attacker tamper with data through a race condition in the WSL2 environment. The affected WSL package range is version 5.0.0.0 through versions earlier than 2.7.10, making this a prompt update for developers, administrators, and security teams that permit WSL2 on managed Windows devices.
Microsoft’s Security Response Center published the advisory on July 14, 2026. The National Vulnerability Database lists the issue as a CWE-367 time-of-check, time-of-use (TOCTOU) race condition, carrying a CVSS 3.1 score of 6.3, or Medium severity. The practical message is straightforward: WSL2 installations need to be on version 2.7.10 or newer.
The affected component is specifically Windows Subsystem for Linux 2, not the older translation-based WSL1 architecture. That distinction matters in organizations where WSL remains enabled for a mix of developer workflows, build agents, containers, and local testing environments.

Stylized cybersecurity scene with Linux penguin, WSL terminal, protective shield, CI pipeline, and race-condition warning.A Local Attack With High Integrity Consequences​

Microsoft characterizes CVE-2026-57973 as requiring an authorized local attacker. There is no indication that an unauthenticated remote attacker can trigger the flaw over a network, and the published CVSS vector assigns high attack complexity. User interaction is not required once the attacker has the necessary local foothold.
The advisory’s impact rating is tampering: confidentiality and integrity are both rated High in the CVSS assessment, while availability is rated None. That does not automatically mean the flaw grants Linux root access, Windows administrator rights, or a virtual-machine escape. Microsoft has not published technical details establishing any of those outcomes, and administrators should resist filling in the blanks with worst-case assumptions.
What is clear is that a synchronization failure can cause a program to act on an object after the conditions checked earlier are no longer true. In a WSL2 context, that kind of defect can be especially relevant where Windows-hosted tooling, Linux processes, mounted file paths, or WSL-managed components cross timing-sensitive boundaries. The public description does not identify the vulnerable code path, affected file operation, or a proof of concept.
That lack of detail lowers immediate exposure to opportunistic attacks, but it does not lower the need to patch. TOCTOU defects are often difficult to exploit reliably, which is reflected in the High attack-complexity score, yet they can become more usable after researchers compare patched and unpatched releases.

WSL Updates Are Not Always Windows Update Updates​

The remediation is potentially easy to miss because modern WSL is delivered and updated as a separate package, frequently through the Microsoft Store rather than solely through monthly Windows cumulative updates. Microsoft’s WSL documentation recommends the Store-delivered version because it receives WSL feature and security updates as they become available.
On a WSL-enabled PC, check the installed package and component versions with:
wsl --version
Then update WSL with:
wsl --update
If Store delivery is unavailable or restricted, Microsoft documents a --web-download option:
wsl --update --web-download
After the update, stop currently running distributions and the WSL2 utility virtual machine so the updated components are used on the next launch:
wsl --shutdown
Run wsl --version again and verify that the WSL package version is 2.7.10 or later. wsl --status is also useful for confirming the installed configuration and kernel information, while wsl --list --verbose identifies which installed distributions are actually running under version 2.
A device can have WSL installed without actively running any WSL2 distributions. Conversely, a machine that has not been used for Linux development recently may still carry an older WSL package. Inventory should therefore begin with the WSL package version, not only with whether a user currently has an Ubuntu, Debian, Fedora, or other distribution window open.

The Enterprise Exposure Is Mostly About Local Footholds​

CVE-2026-57973 is not the kind of vulnerability that should trigger emergency network perimeter changes. Its prerequisite is a local, authorized attacker, so the principal concern is post-compromise activity: malware running as a standard user, a malicious developer dependency, an abused local account, or a shared workstation where an attacker already has interactive access.
For organizations that use WSL2 as part of software engineering workflows, the affected population may include more than developer laptops. Self-hosted CI runners, build workstations, test VMs, lab systems, and jump boxes sometimes run WSL2 for automation or Linux-native tools. Those systems can be easy to overlook because WSL is often treated as a developer convenience rather than as a separately patched virtualized platform.
The immediate operational priority is modest but concrete:
  • Update all WSL2 installations to version 2.7.10 or newer and restart their WSL environments.
  • Use endpoint inventory, software deployment tooling, or a PowerShell query to identify devices where wsl --version reports an older package.
  • Review systems that use WSL2 in automated build or deployment workflows, especially where standard-user processes handle sensitive source code, credentials, or release artifacts.
  • Treat imported distributions and custom WSL deployments as exceptions requiring direct validation rather than assuming a routine Windows patch cycle has resolved them.
Microsoft has not identified public exploitation of CVE-2026-57973, and Zero Day Initiative’s July 2026 Patch Tuesday review likewise listed no known public exploit or active attack. That makes this a patch-before-it-becomes-interesting vulnerability rather than an incident-response emergency. Still, the value of patching is higher in environments where WSL2 is allowed to access source repositories, package registries, cloud credentials, SSH keys, or Windows-mounted project directories.

Do Not Confuse the CVSS Score With the Operational Risk​

A 6.3 Medium score can look routine in a large Patch Tuesday backlog, but the score captures exploit prerequisites, not the business value of what sits behind a successful local compromise. WSL2 is frequently used where developers keep the very material an attacker wants: unreleased code, build signing processes, deployment tokens, and cloud configuration.
The advisory’s High confidentiality and integrity ratings are more important than the absence of an availability impact. A tampering flaw is not a crash-only issue. In the wrong workflow, an attacker who can alter code, configuration, or artifacts may be able to create a longer-lived supply-chain or credential-theft problem without attracting attention through an obvious outage.
At the same time, there is no published basis for claiming that every WSL2 user is exposed to a host compromise. The scope in Microsoft’s CVSS vector remains unchanged, and the current disclosure does not establish a Windows privilege escalation or VM-boundary bypass. The right response is to update the affected WSL package, validate the version, and avoid over-interpreting sparse technical disclosures.
For most Windows users, wsl --update followed by wsl --shutdown closes the immediate gap. For IT teams, the next milestone is verifying that WSL2 version 2.7.10 or later—not merely the latest Windows cumulative update—is present across the systems where Linux workloads are part of the development stack.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Official source: microsoft.com
  4. Related coverage: vulners.com
 

Back
Top