Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Kernel allows an authorized low-privileged attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free condition in kernel memory. The flaw carries a CVSS 7.0 (High) rating with high attack complexity, and Microsoft has released a patch via MSRC; no public exploit identified at time of analysis. Successful exploitation breaks the local Windows security boundary, enabling full host compromise from any authenticated session.
Technical ContextAI
The vulnerability resides in the Windows NT kernel, the privileged core of the Windows operating system that manages memory, scheduling, and hardware abstraction. The root cause is CWE-416 (Use After Free), a memory-corruption class in which a kernel object is dereferenced after its backing memory has been freed and potentially reallocated for attacker-controlled data, allowing the attacker to redirect execution or corrupt adjacent kernel structures. Because the bug lives in ring-0 code, successful manipulation of the dangling pointer can lead to arbitrary kernel-mode code execution and bypass of user/kernel privilege boundaries. The vuldb tag set also notes denial-of-service as a secondary impact, consistent with kernel memory corruption that may simply crash the host (bugcheck) when exploitation fails.
RemediationAI
Apply the Microsoft-released patch published through the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42984 by deploying the monthly cumulative security update (KB) for each affected Windows version via Windows Update, WSUS, Intune, or SCCM; this is the only complete fix. Where immediate patching is not feasible, reduce risk by restricting interactive and remote (RDP, WinRM) logon to trusted administrative accounts, enforcing least-privilege so standard users cannot run arbitrary code, enabling Windows Defender Application Control or AppLocker to constrain untrusted binaries that could host exploit code, and turning on Hypervisor-Protected Code Integrity (HVCI) / Virtualization-Based Security where supported to raise the bar for kernel memory corruption - noting that HVCI may impact older drivers and that aggressive WDAC policies can break legitimate workflows. There is no documented configuration-only workaround for the underlying kernel UAF, so these controls are mitigations, not substitutes for the patch.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35734
GHSA-q49g-3g5j-2vj8