Critical Remote Code Execution Vulnerability Found in VS Code Webview Protocol

A critical remote code execution vulnerability has been identified in Visual Studio Code versions 1.119.0 and earlier, affecting the internal protocol that webviews use to load VS Code-controlled root webview content. The flaw could enable untrusted scripts to execute within the webview environment, potentially exposing developers to code injection attacks. Microsoft has released version 1.119.1 containing the patch, though users of affected versions remain at risk until they update.

The vulnerability stems from incorrect buffer handling in the webview protocol provider. According to the patch commit, the fix ensures that the correctly sized buffer is passed to the webview protocol provider—a technical misconfiguration that created a vector for potential code execution. The Microsoft Security Response Center has catalogued the flaw under CVE-2026-41611. As a workaround, users were advised to avoid opening webviews capable of loading untrusted content, though this restriction proves impractical for typical development workflows.

The disclosure carries significant weight given VS Code's position as the world's most widely used code editor. An attacker capable of crafting malicious web content could potentially leverage this vulnerability to execute arbitrary code on developer machines, with access to source repositories, credentials, and development environment configurations. Organizations and individual developers still running VS Code 1.119.0 or earlier should update immediately to version 1.119.1 or later to mitigate exposure.