Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Integer underflow (wrap or wraparound) in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Storage Spaces Controller across Windows 11 (versions 22H3 through 26H1) and Windows Server 2022/2025 allows low-privileged authenticated users to achieve SYSTEM-level access via an integer underflow vulnerability. The flaw enables complete compromise of confidentiality, integrity, and availability on affected systems. EPSS risk data not available; no public exploit identified at time of analysis. Vendor-released patches are available for all affected versions.
Technical ContextAI
Windows Storage Spaces Controller is a Windows component responsible for managing software-defined storage pools and virtual disks. This vulnerability stems from CWE-191 (Integer Underflow/Wraparound), where arithmetic operations on integer values result in a value smaller than the minimum representable value, wrapping to a very large number. In this context, the underflow likely occurs during buffer size calculations or memory allocation operations within the Storage Spaces Controller driver or service. When exploited, the wraparound condition causes the controller to mishandle memory boundaries, enabling an attacker to corrupt kernel memory structures or bypass security checks. The affected CPE strings identify multiple Windows 11 consumer versions (22H2, 23H2, 24H2, 25H2, 26H1) and enterprise Windows Server platforms (2022 23H2 Edition and Server 2025, including Server Core installations), all sharing the vulnerable Storage Spaces implementation in kernel build ranges starting from 10.0.22631.0 through 10.0.28000.0.
RemediationAI
Apply the vendor-released security updates immediately via Windows Update or Microsoft Update Catalog. Patched versions are: Windows 11 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 24H2 build 10.0.26100.32690 or later, Windows 11 25H2 build 10.0.26200.8246 or later, Windows 11 26H1 build 10.0.28000.1836 or later, Windows Server 2022 23H2 Edition build 10.0.25398.2274 or later, and Windows Server 2025 build 10.0.26100.32690 or later. Prioritize patching systems where Storage Spaces features are actively used and multiple user accounts have local access. If immediate patching is not feasible, restrict local user access to trusted accounts only and monitor for unauthorized privilege escalation attempts through security event logs (Event ID 4672 for special privilege assignments). Disable Storage Spaces service temporarily on non-critical systems if business continuity permits, though this may impact storage functionality. Full remediation guidance available in Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27907.
Same weakness CWE-191 – Integer Underflow
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22445
GHSA-p98g-6f6c-423f