Skip to main content

Windows Bluetooth Service CVE-2026-45605

| EUVDEUVD-2026-35682 HIGH
Use After Free (CWE-416)
2026-06-09 secure@microsoft.com GHSA-7875-jr7x-qfvp
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:09 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in the Windows Bluetooth Service stems from a use-after-free condition (CWE-416) that an authenticated low-privilege user can trigger to gain elevated rights on the host. The CVSS 7.8 vector (AV:L/AC:L/PR:L/UI:N) reflects a fully local attack with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. The flaw was reported by Microsoft (secure@microsoft.com) and tracked in the MSRC update guide.

Technical ContextAI

The Windows Bluetooth Service (bthserv) is a system-level Windows component responsible for managing Bluetooth radios, pairing, and protocol stack interactions; it typically runs with SYSTEM-level privileges and exposes IPC surfaces (RPC/COM/IOCTL) to lower-privileged callers. CWE-416 (Use After Free) indicates the service references a heap object after it has been deallocated, allowing the freed memory to be re-allocated and controlled by the attacker before the dangling pointer is dereferenced. Because the service operates in a higher trust boundary than the caller, controlling the freed object's contents can corrupt function pointers or vtables and pivot execution into attacker-supplied data, resulting in arbitrary code execution in the service's context.

RemediationAI

Apply the Microsoft security update referenced on the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45605 for each affected Windows edition and build - exact fixed build numbers are published per-SKU in that advisory and should be cited as the patch of record. As a compensating control on hosts where patching must be delayed, disable the Bluetooth Support Service (bthserv) via 'sc config bthserv start= disabled' and stop the service, which removes the vulnerable attack surface but breaks all Bluetooth peripheral functionality (keyboards, mice, audio, file transfer). On endpoints that do not require Bluetooth, disable the radio at the hardware/UEFI level or via Group Policy ('Allow Bluetooth' set to Disabled) to prevent the service from being reactivated; restricting interactive and remote logon (e.g., RDP) to trusted users on shared hosts further reduces the population of attackers able to call the local interface.

Share

CVE-2026-45605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy