Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Windows Container Isolation FS Filter Driver allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Container Isolation FS Filter Driver affects all supported Windows 10, Windows 11, and Windows Server versions through use-after-free memory corruption. Low-complexity attack requires only low-privileged local access to achieve full system compromise (SYSTEM-level privileges). Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and requirement for only low privileges
Technical ContextAI
The vulnerability resides in the Windows Container Isolation FS Filter Driver, a kernel-mode component responsible for filesystem isolation in Windows containers. The flaw is a use-after-free condition (CWE-416), a class of memory corruption vulnerability where the driver continues to reference memory after it has been deallocated. In kernel-mode drivers, use-after-free bugs are particularly dangerous because they execute with SYSTEM privileges and can bypass user-mode security boundaries. When exploited, an attacker can manipulate freed memory to control program execution flow or corrupt kernel data structures. The affected CPE strings indicate this vulnerability impacts the entire Windows ecosystem from legacy Windows 10 Version 1607 through the latest Windows 11 Version 26H1 and Windows Server 2025, suggesting the vulnerable code has been present across multiple Windows generations. The driver's role in container isolation means it's accessible to any authenticated user on systems with container features enabled, either through Docker, Hyper-V containers, or Windows Sandbox.
RemediationAI
Apply Microsoft's May 2026 security updates immediately through Windows Update or WSUS to remediate this vulnerability. Fixed versions include Windows 10 1607 build 10.0.14393.9060 or later, Windows 10 1809 build 10.0.17763.8644 or later, Windows 10 21H2 build 10.0.19044.7184 or later, Windows 10 22H2 build 10.0.19045.7184 or later, Windows 11 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 24H2 build 10.0.26100.32690 or later, Windows 11 25H2 build 10.0.26200.8246 or later, Windows 11 26H1 build 10.0.28000.1836 or later, Windows Server 2016 build 10.0.14393.9060 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition build 10.0.25398.2274 or later, and Windows Server 2025 build 10.0.26100.32690 or later. Download patches from Microsoft Update Catalog or configure automatic updates. No workarounds are available; patching is the only effective mitigation. Refer to the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33098 for deployment guidance and known issues.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22619