Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Windows NTFS allows an unauthorized attacker to run arbitrary code on the target system by triggering a heap-based buffer overflow, with no public exploit identified at time of analysis. The CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability, but exploitation requires local vector and user interaction. Microsoft (secure@microsoft.com) is the assigning CNA, indicating a first-party vendor advisory via MSRC.
Technical ContextAI
NTFS (New Technology File System) is the default file system driver for Windows, implemented in the kernel-mode ntfs.sys driver. CWE-20 (Improper Input Validation) is the assigned root cause class, manifesting here as a heap-based buffer overflow - meaning attacker-controlled input is not properly validated for size or structure before being written to a heap allocation, corrupting adjacent memory. Because NTFS parsing runs in kernel context, memory corruption in this code path is a classic vector for local privilege escalation and kernel code execution. No CPE strings were provided in the input, so the precise affected Windows builds must be retrieved from the MSRC advisory.
RemediationAI
Patch available per vendor advisory: apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45636, which lists the exact KB numbers for each affected Windows SKU; exact fix build numbers were not included in the input data and must be retrieved from MSRC. Until the update is deployed, compensating controls include blocking the mounting of untrusted external volumes and disk images (group policy can restrict removable storage and disable automount of VHD/VHDX files, at the cost of blocking legitimate external drive use), restricting the ability of standard users to open arbitrary file attachments via attachment manager and Mark-of-the-Web enforcement, and monitoring endpoint telemetry for NTFS parser crashes and ntfs.sys faults that may indicate exploitation attempts. Avoid disabling NTFS itself, as it is the primary Windows file system and not a feasible workaround.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35559
GHSA-6798-vf82-f698