Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Kernel allows an authenticated low-privilege attacker to elevate to SYSTEM by triggering a use-after-free condition in kernel memory. The flaw carries a CVSS 7.0 rating with high attack complexity, and no public exploit identified at time of analysis. Exploitation requires a race condition or specific timing to be won, which constrains reliable weaponization but does not eliminate the risk on multi-user or shared Windows hosts.
Technical ContextAI
The vulnerability resides in the Windows Kernel, the core ring-0 component responsible for process scheduling, memory management, and hardware abstraction across all supported Windows editions. The root cause is CWE-122 (heap-based buffer overflow) combined with a use-after-free pattern, where a kernel object is referenced after its backing memory has been freed and potentially reallocated. The 'Heap Overflow' and 'Buffer Overflow' tags suggest the freed object's slot can be reclaimed with attacker-controlled data, enabling type confusion or controlled writes into kernel heap structures. Successful manipulation of freed kernel pool memory typically leads to corruption of dispatch tables, token objects, or function pointers that the kernel later dereferences with full privilege.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45653 as soon as it appears in your normal Patch Tuesday cycle; exact fix KB numbers per Windows SKU are listed in that update guide and should be deployed via Windows Update, WSUS, Intune, or your standard patch management pipeline. Patch available per vendor advisory - no specific fix version was provided in the input data, so cross-reference the MSRC entry to map your build to the correct cumulative update. As compensating controls until patched, restrict interactive and remote logon to trusted users on sensitive hosts (Group Policy: 'Allow log on locally' and 'Allow log on through Remote Desktop Services'), tighten AppLocker or Windows Defender Application Control to block unsigned binaries from standard users (trade-off: may break legitimate developer or admin tooling), and enable Microsoft Defender attack-surface-reduction rules plus tamper protection so EDR can flag anomalous kernel-callback behavior (trade-off: increased telemetry volume but no functional impact on users).
More in Windows 10 1607
View allWindows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users
Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the
Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne
Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables
Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se
Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack
Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a nu
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35569
GHSA-2f5f-6jgg-m49q