Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
AnalysisAI
Double free vulnerability in Microsoft Brokering File System enables local privilege escalation on Windows 11 (versions 24H2, 25H2, 26H1) and Windows Server 2025. Low-privileged authenticated users can exploit memory corruption (CWE-415) to gain SYSTEM-level access with high attack complexity. Microsoft has released patches addressing builds prior to 10.0.26100.32690 (24H2/Server 2025), 10.0.26200.8246 (25H2), and 10.0.28000.1836 (26H1). EPSS score of 0.04% (11th percentile) and SSVC assessment of no active exploitation suggest low immediate threat despite 7.0 CVSS score, though CISA classifies technical impact as total (complete system compromise).
Technical ContextAI
The vulnerability stems from a double free condition (CWE-415) in the Microsoft Brokering File System component, a Windows subsystem that manages file operations and resource brokering between applications and the operating system. Double free vulnerabilities occur when memory is deallocated multiple times, corrupting heap metadata and potentially allowing attackers to manipulate memory allocation patterns. This class of memory corruption bug can lead to arbitrary code execution when successfully exploited. The affected component is present only in modern Windows builds: Windows 11 24H2 (builds below 10.0.26100.32690), Windows 11 25H2 (builds below 10.0.26200.8246), Windows 11 26H1 (builds below 10.0.28000.1836), and Windows Server 2025 including Server Core installations (builds below 10.0.26100.32690). The vulnerability requires local access with low-level privileges (PR:L), suggesting it affects standard user accounts rather than requiring administrative access initially.
RemediationAI
Apply Microsoft security updates immediately to patch the double free vulnerability. Update Windows 11 24H2 systems to build 10.0.26100.32690 or later, Windows 11 25H2 systems to build 10.0.26200.8246 or later, Windows 11 26H1 systems to build 10.0.28000.1836 or later, and Windows Server 2025 (including Server Core) to build 10.0.26100.32690 or later via Windows Update or Microsoft Update Catalog. For environments unable to immediately patch, implement compensating controls: restrict local logon rights to only trusted users via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on locally), enable and monitor Windows Defender Exploit Guard for heap corruption attempts, implement application control policies using AppLocker or Windows Defender Application Control to prevent unauthorized code execution, and deploy enhanced monitoring for unusual privilege escalation patterns via Event IDs 4672 (special privileges assigned) and 4688 (process creation with elevated tokens). These mitigations significantly increase attack complexity but may impact legitimate applications requiring local user access or dynamic code execution. Compensating controls do not eliminate risk and should be considered temporary measures until patching is completed. Reference Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32219 for detailed patch deployment guidance.
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22605
GHSA-jrwx-4hj3-h58w