Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Bluetooth Service stems from a use-after-free condition (CWE-416) that an authenticated low-privilege user can trigger to gain elevated rights on the host. The CVSS 7.8 vector (AV:L/AC:L/PR:L/UI:N) reflects a fully local attack with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. The flaw was reported by Microsoft (secure@microsoft.com) and tracked in the MSRC update guide.
Technical ContextAI
The Windows Bluetooth Service (bthserv) is a system-level Windows component responsible for managing Bluetooth radios, pairing, and protocol stack interactions; it typically runs with SYSTEM-level privileges and exposes IPC surfaces (RPC/COM/IOCTL) to lower-privileged callers. CWE-416 (Use After Free) indicates the service references a heap object after it has been deallocated, allowing the freed memory to be re-allocated and controlled by the attacker before the dangling pointer is dereferenced. Because the service operates in a higher trust boundary than the caller, controlling the freed object's contents can corrupt function pointers or vtables and pivot execution into attacker-supplied data, resulting in arbitrary code execution in the service's context.
RemediationAI
Apply the Microsoft security update referenced on the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45605 for each affected Windows edition and build - exact fixed build numbers are published per-SKU in that advisory and should be cited as the patch of record. As a compensating control on hosts where patching must be delayed, disable the Bluetooth Support Service (bthserv) via 'sc config bthserv start= disabled' and stop the service, which removes the vulnerable attack surface but breaks all Bluetooth peripheral functionality (keyboards, mice, audio, file transfer). On endpoints that do not require Bluetooth, disable the radio at the hardware/UEFI level or via Group Policy ('Allow Bluetooth' set to Disabled) to prevent the service from being reactivated; restricting interactive and remote logon (e.g., RDP) to trusted users on shared hosts further reduces the population of attackers able to call the local interface.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35682
GHSA-7875-jr7x-qfvp