Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Storage allows an authorized low-privilege user to gain higher privileges through an untrusted search path weakness (CWE-426). The flaw requires existing local access and a successful race or environmental manipulation, reflected in the high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
The vulnerability is rooted in CWE-426 (Untrusted Search Path), a class of flaws where a process loads a resource - typically a DLL or executable - from a directory whose contents an attacker can influence, rather than from a trusted, fully qualified path. In the Windows Storage component this most commonly manifests as a service or helper binary searching the current working directory, a user-writable PATH entry, or a side-by-side assembly directory before the system directories, enabling DLL planting/hijacking. Because Windows Storage components frequently run with elevated rights (SYSTEM or service-level tokens), loading attacker-controlled code into such a process yields privilege elevation.
RemediationAI
Apply the Microsoft security update for CVE-2026-47648 as detailed at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47648; exact patched build numbers are not provided in the input data and must be confirmed from the MSRC update guide for each affected Windows SKU. Patch available per vendor advisory. Until patches are deployed, compensating controls include restricting local interactive logon to trusted users via Group Policy (User Rights Assignment) to shrink the pool of 'authorized attackers' the CVSS vector references, removing user-writable directories from the system PATH, and enabling AppLocker or WDAC rules that block unsigned DLL loads from user-writable paths - note these controls can break legitimate applications that rely on PATH lookup or unsigned helper DLLs and require staged rollout with monitoring.
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35515
GHSA-x5vh-qfr8-9p58