Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Access of resource using incompatible type ('type confusion') in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Kernel-Mode Drivers allows an authenticated low-privileged user to elevate to SYSTEM via a type confusion (CWE-843) flaw. The vulnerability carries a CVSS 7.8 (High) with low attack complexity and no user interaction once local access is obtained, though no public exploit identified at time of analysis. Reported by Microsoft's MSRC, this fits the recurring pattern of Windows kernel driver EoP bugs frequently abused in post-compromise stages.
Technical ContextAI
The flaw resides in Windows Kernel-Mode Drivers, which run in ring 0 and have unrestricted access to system memory and hardware. CWE-843 (Access of Resource Using Incompatible Type, or 'type confusion') occurs when code allocates or accesses an object as one type but the underlying memory is actually a different type - leading to out-of-bounds reads/writes, corrupted vtables, or attacker-controlled function pointers. In kernel context, successful exploitation typically results in arbitrary kernel memory write primitives that can be turned into SYSTEM-level token replacement. The 'Memory Corruption' and 'Information Disclosure' tags suggest the bug can be leveraged both to leak kernel addresses (defeating KASLR) and to corrupt kernel structures.
RemediationAI
Patch available per vendor advisory - apply the Microsoft security update published in the MSRC entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45600 as part of the corresponding Patch Tuesday cycle; exact KB numbers per Windows build should be retrieved from that advisory since they are not included in the provided data. Because exploitation requires local authenticated access, compensating controls while patching include restricting interactive and RDP logon rights to trusted administrators, enforcing application allowlisting (WDAC or AppLocker) to block unknown user-mode exploit binaries, enabling Hypervisor-Protected Code Integrity (HVCI) which raises the bar for kernel type-confusion exploitation by enforcing kernel code integrity (trade-off: incompatible with some older third-party drivers), and monitoring EDR telemetry for suspicious token-stealing or kernel memory access patterns. There is no documented configuration-level workaround that removes the vulnerable driver without functional loss.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35561
GHSA-672h-59xc-v8h6