Severity by source
Sources disagree (Medium–Critical)AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows Bluetooth Port Driver allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Bluetooth Port Driver allows an authorized low-privileged attacker to elevate to higher privileges by triggering a use-after-free condition in the kernel-mode driver. The flaw is reported by Microsoft Security Response Center and carries a CVSS 7.0 (high) rating with high attack complexity, and no public exploit identified at time of analysis. EPSS data and CISA KEV status were not provided in the input, so widespread exploitation is not confirmed.
Technical ContextAI
The vulnerability resides in the Windows Bluetooth Port Driver, a kernel-mode component (typically BthPort.sys) that mediates communication between the Bluetooth stack and underlying transport drivers. The root cause is CWE-416 (Use After Free), where memory is referenced after it has been freed - commonly triggered by race conditions between IRP (I/O Request Packet) handling, device arrival/removal events, or concurrent IOCTL invocations against the driver. Successful exploitation of a UAF in a kernel driver typically yields kernel-mode code execution, enabling full SYSTEM-level compromise of the host. No CPE strings were provided in the input, so the specific affected Windows builds must be retrieved from Microsoft's update guide.
RemediationAI
Patch available per vendor advisory - apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45640 via Windows Update or WSUS as soon as it appears in your patch cycle, selecting the KB matching each affected Windows build. Where patching must be deferred, the most effective compensating control is to disable the Bluetooth service (bthserv) and unload/disable the Bluetooth radio in Device Manager on systems that do not require wireless peripherals, which fully removes the attack surface but breaks Bluetooth keyboards, mice, headsets, and proximity-unlock features. On managed fleets, you can additionally restrict local logon to trusted accounts (since PR:L is required) via Group Policy 'Deny log on locally' to limit who can stage the local trigger. Standard kernel-mode mitigations such as Hypervisor-protected Code Integrity (HVCI) and Virtualization-Based Security (VBS) raise the bar for converting the UAF into reliable SYSTEM execution but do not eliminate the bug.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35684
GHSA-p23p-88jv-fvg5