Skip to main content

Windows Bluetooth Driver CVE-2026-45640

| EUVDEUVD-2026-35684 HIGH
Use After Free (CWE-416)
2026-06-09 secure@microsoft.com GHSA-p23p-88jv-fvg5
High
Disputed · 7.0 NVD
Temporal: 6.1
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
CRITICAL
qualitative
CIRCL (temporal)
6.1 MEDIUM
cvss

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:05 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.0

DescriptionNVD

Use after free in Windows Bluetooth Port Driver allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in the Windows Bluetooth Port Driver allows an authorized low-privileged attacker to elevate to higher privileges by triggering a use-after-free condition in the kernel-mode driver. The flaw is reported by Microsoft Security Response Center and carries a CVSS 7.0 (high) rating with high attack complexity, and no public exploit identified at time of analysis. EPSS data and CISA KEV status were not provided in the input, so widespread exploitation is not confirmed.

Technical ContextAI

The vulnerability resides in the Windows Bluetooth Port Driver, a kernel-mode component (typically BthPort.sys) that mediates communication between the Bluetooth stack and underlying transport drivers. The root cause is CWE-416 (Use After Free), where memory is referenced after it has been freed - commonly triggered by race conditions between IRP (I/O Request Packet) handling, device arrival/removal events, or concurrent IOCTL invocations against the driver. Successful exploitation of a UAF in a kernel driver typically yields kernel-mode code execution, enabling full SYSTEM-level compromise of the host. No CPE strings were provided in the input, so the specific affected Windows builds must be retrieved from Microsoft's update guide.

RemediationAI

Patch available per vendor advisory - apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45640 via Windows Update or WSUS as soon as it appears in your patch cycle, selecting the KB matching each affected Windows build. Where patching must be deferred, the most effective compensating control is to disable the Bluetooth service (bthserv) and unload/disable the Bluetooth radio in Device Manager on systems that do not require wireless peripherals, which fully removes the attack surface but breaks Bluetooth keyboards, mice, headsets, and proximity-unlock features. On managed fleets, you can additionally restrict local logon to trusted accounts (since PR:L is required) via Group Policy 'Deny log on locally' to limit who can stage the local trigger. Standard kernel-mode mitigations such as Hypervisor-protected Code Integrity (HVCI) and Virtualization-Based Security (VBS) raise the bar for converting the UAF into reliable SYSTEM execution but do not eliminate the bug.

Share

CVE-2026-45640 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy