Skip to main content

Microsoft Kinect EUVDEUVD-2026-35503

| CVE-2026-41092 HIGH
Improper Access Control (CWE-284)
2026-06-09 secure@microsoft.com GHSA-qqh6-q4cq-fv8r
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:35 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Kinect allows an authenticated low-privileged user to elevate to higher privileges due to improper access control (CWE-284). The vulnerability carries a CVSS 7.8 (High) rating with local attack vector and low complexity, and no public exploit identified at time of analysis. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected host.

Technical ContextAI

The flaw resides in Microsoft Kinect, the sensor platform and associated runtime/driver components used for motion sensing, depth imaging, and skeletal tracking on Windows hosts. The root cause is classified as CWE-284 (Improper Access Control), meaning that one or more privileged operations, files, IPC endpoints, device interfaces, or service entry points exposed by the Kinect stack do not adequately validate the caller's identity or permissions. Because Kinect components typically include user-mode services and kernel-adjacent device drivers running at SYSTEM, a missing or insufficient ACL/permission check on such an interface lets a lower-privileged process invoke functionality intended only for administrators or SYSTEM. No CPE data was provided to pin down the exact affected SKU (Kinect for Windows runtime/SDK versus an Xbox-linked component).

RemediationAI

Patch available per vendor advisory - apply the Microsoft security update referenced on the MSRC page at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41092 as soon as it is published or, if already released, deploy it via Windows Update or WSUS to all systems with Kinect runtime, drivers, or SDK components installed. Where patching must be delayed, reduce exposure by uninstalling the Kinect runtime and SDK from systems that do not require it, restricting interactive and remote-interactive logon rights on hosts where the components remain (since exploitation requires local authenticated access), and tightening ACLs on Kinect-related service binaries, named pipes, and device interfaces while monitoring for unexpected child processes of Kinect services - note that removing the runtime will break Kinect-dependent applications and that ACL hardening may destabilize legitimate Kinect functionality, so test before broad rollout.

Share

EUVD-2026-35503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy