Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged user to elevate to higher privileges through an integer underflow condition. The flaw carries a CVSS 7.8 (High) rating with no public exploit identified at time of analysis, but Microsoft has issued a patch via MSRC. Defenders should treat this as a standard Patch-Tuesday-class kernel EoP that becomes a critical post-compromise pivot once initial access is achieved.
Technical ContextAI
The vulnerability resides in the core Windows NT OS Kernel, the privileged ring-0 component underpinning all supported Windows client and server SKUs. The root cause is CWE-190 (Integer Overflow or Wraparound) - specifically an integer underflow where an arithmetic operation produces a value below the representable minimum, wrapping around to a large unsigned value. In kernel code paths, such wraparound typically corrupts size calculations used in buffer allocation, length validation, or pointer arithmetic, enabling subsequent out-of-bounds writes or undersized buffer allocations that an attacker can leverage for memory corruption and ultimately arbitrary kernel-mode code execution.
RemediationAI
Apply the Microsoft-released patch as published in the MSRC update guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42916) by deploying the relevant cumulative update for each affected Windows client and server build through Windows Update, WSUS, or your standard patch management pipeline; exact KB identifiers are listed per-SKU in the MSRC entry. Because the vulnerability lives in the OS kernel itself, there is no feature toggle or configuration workaround - kernel patching is the only durable fix. As compensating controls until patching completes, restrict interactive and Remote Desktop logon rights on sensitive hosts to trusted administrators (reducing the pool of accounts that can satisfy the PR:L precondition, at the cost of reduced operational flexibility), enforce application allowlisting (e.g., WDAC or AppLocker) to limit unsigned binaries that would stage the exploit (cost: tuning effort and potential breakage of line-of-business apps), and prioritize endpoint detection coverage for anomalous token manipulation and kernel-mode driver loads. Refer to the vuldb tracking entry at https://vuldb.com/vuln/369616 for additional cross-referenced metadata.
More in Windows 10 1607
View allWindows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users
Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the
Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne
Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables
Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se
Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack
Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a nu
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35600
GHSA-5c99-j5fv-r62h