Skip to main content

Windows Storage Spaces Controller CVE-2026-35415

| EUVDEUVD-2026-29622 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-12 microsoft GHSA-237p-qjh7-f926
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 19:00 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
HIGH 7.8

DescriptionCVE.org

Integer overflow or wraparound in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Storage Spaces Controller enables authenticated users with low-level access to gain SYSTEM-level privileges by exploiting an integer overflow that leads to memory corruption. Affects Windows 10 (1607 through 22H2), Windows 11 (all versions through 26H1), and Windows Server 2012 R2. Microsoft has released security updates through their March 2026 Patch Tuesday. No active exploitation confirmed in CISA KEV at time of analysis, though the combination of low attack complexity (AC:L) and no user interaction requirement (UI:N) makes post-compromise exploitation straightforward for attackers who have already obtained initial access.

Technical ContextAI

Windows Storage Spaces Controller is a storage virtualization component that manages pooled physical disks and provides resilient storage volumes in Windows environments. The vulnerability stems from CWE-190 (Integer Overflow or Wraparound), where arithmetic operations on integer values exceed maximum representable values, wrapping to small numbers. In this context, the overflow likely occurs during size calculations for memory allocation or buffer operations within the Storage Spaces Controller driver or service. When an integer wraps to an unexpectedly small value, subsequent memory operations use this incorrect size, leading to buffer overflows that can corrupt memory and hijack control flow. The CVSS vector indicates this is exploitable locally (AV:L) by users with low-level privileges (PR:L), suggesting the vulnerable code path is accessible through standard Storage Spaces management interfaces or system calls available to authenticated users.

RemediationAI

Apply the Microsoft security updates released through the March 2026 Patch Tuesday cycle, available via Windows Update, WSUS, or Microsoft Update Catalog at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35415. Organizations should prioritize patching systems with exposed user access (terminal servers, jump hosts, shared workstations) and high-value targets (domain controllers, administrative systems) where privilege escalation poses greatest risk. If immediate patching is not feasible, implement compensating controls: restrict Storage Spaces Controller access by removing users from the Storage Spaces management permissions group (accessible via Computer Management > Storage > Storage Spaces), though this may impact legitimate storage administration workflows. Enable Attack Surface Reduction (ASR) rules and Application Control policies (AppLocker/WDAC) to restrict execution of unsigned binaries that could leverage this vulnerability. Deploy enhanced monitoring for Event ID 4673 (sensitive privilege use) and unusual interactions with storagevirtualizationservice.exe or spacecontroller.dll. Note that disabling Storage Spaces Controller service entirely breaks storage pool functionality and is only viable for systems not using Storage Spaces features. Verify patch deployment through Windows Update history or registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages for KB article associated with this CVE.

Share

CVE-2026-35415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy