Skip to main content

Windows UDFS Driver CVE-2026-40404

| EUVDEUVD-2026-35656 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-09 secure@microsoft.com GHSA-h2q2-g4v6-v8fh
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:34 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

AnalysisAI

Local privilege escalation in the Microsoft Windows Universal Disk Format File System (UDFS) driver allows an authenticated low-privileged user to gain SYSTEM-level code execution by triggering a heap-based buffer overflow (CWE-122). The flaw affects Windows endpoints where the UDFS kernel driver parses attacker-controlled UDF-formatted media (typically optical discs or mounted disc images). No public exploit identified at time of analysis and the issue is not currently listed on CISA KEV.

Technical ContextAI

UDFS.sys is the Windows kernel-mode driver responsible for mounting and parsing volumes formatted with the Universal Disk Format (UDF, ISO/IEC 13346 / ECMA-167) - the file system used by DVD-Video, Blu-ray, and many ISO images. CWE-122 (Heap-based Buffer Overflow) indicates the driver fails to correctly bound-check fields within UDF on-disk structures (e.g., file identifiers, allocation descriptors, or partition maps) before copying them into kernel heap allocations. Because parsing occurs in ring-0, corrupting non-paged or paged pool memory can be steered toward arbitrary kernel write primitives and SYSTEM-token theft. The Microsoft tag set ('Buffer Overflow, Heap Overflow, Microsoft') and the CVSS scope of S:U with full CIA impact are consistent with an in-process kernel pool corruption rather than a sandbox escape.

RemediationAI

Patch available per vendor advisory - apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40404 via Windows Update, WSUS, or your preferred patch management channel as soon as the corresponding KB has been validated in your environment. Exact fix KB numbers and build versions are not enumerated in the provided data and should be taken from the MSRC entry. As compensating controls until patching completes, disable automatic mounting of optical media and ISO images by setting the AutoRun/AutoPlay policies (HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun) and consider blocking interactive ISO/IMG mounting via Group Policy or AppLocker - note this breaks legitimate workflows for users who mount disc images for software installs. On servers without a business need for optical/UDF media, the UDFS driver service can be disabled (sc.exe config udfs start= disabled) but verify no backup, imaging, or media-handling workloads depend on it before doing so.

Share

CVE-2026-40404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy