Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
AnalysisAI
Local privilege escalation in the Microsoft Windows Universal Disk Format File System (UDFS) driver allows an authenticated low-privileged user to gain SYSTEM-level code execution by triggering a heap-based buffer overflow (CWE-122). The flaw affects Windows endpoints where the UDFS kernel driver parses attacker-controlled UDF-formatted media (typically optical discs or mounted disc images). No public exploit identified at time of analysis and the issue is not currently listed on CISA KEV.
Technical ContextAI
UDFS.sys is the Windows kernel-mode driver responsible for mounting and parsing volumes formatted with the Universal Disk Format (UDF, ISO/IEC 13346 / ECMA-167) - the file system used by DVD-Video, Blu-ray, and many ISO images. CWE-122 (Heap-based Buffer Overflow) indicates the driver fails to correctly bound-check fields within UDF on-disk structures (e.g., file identifiers, allocation descriptors, or partition maps) before copying them into kernel heap allocations. Because parsing occurs in ring-0, corrupting non-paged or paged pool memory can be steered toward arbitrary kernel write primitives and SYSTEM-token theft. The Microsoft tag set ('Buffer Overflow, Heap Overflow, Microsoft') and the CVSS scope of S:U with full CIA impact are consistent with an in-process kernel pool corruption rather than a sandbox escape.
RemediationAI
Patch available per vendor advisory - apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40404 via Windows Update, WSUS, or your preferred patch management channel as soon as the corresponding KB has been validated in your environment. Exact fix KB numbers and build versions are not enumerated in the provided data and should be taken from the MSRC entry. As compensating controls until patching completes, disable automatic mounting of optical media and ISO images by setting the AutoRun/AutoPlay policies (HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun) and consider blocking interactive ISO/IMG mounting via Group Policy or AppLocker - note this breaks legitimate workflows for users who mount disc images for software installs. On servers without a business need for optical/UDF media, the UDFS driver service can be disabled (sc.exe config udfs start= disabled) but verify no backup, imaging, or media-handling workloads depend on it before doing so.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35656
GHSA-h2q2-g4v6-v8fh