Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local elevation requiring an authenticated low-privileged user (AV:L, PR:L), no user interaction, low complexity, yielding SYSTEM-level full C/I/A impact within the same scope.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
Improper authentication in Windows Cryptographic Services allows an unauthorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Cryptographic Services on Windows 11 (23H2 through 26H1) and Windows Server 2022/2025 allows a low-privileged authenticated user to elevate to higher privileges through an improper authentication flaw (CWE-287). Microsoft has released patches via MSRC, and while no public exploit identified at time of analysis, CISA SSVC rates the technical impact as total, meaning successful exploitation yields full system compromise. EPSS probability is very low (0.06%), reflecting the local attack vector and absence of known exploitation activity.
Technical ContextAI
Windows Cryptographic Services (CryptSvc) is a core Windows service responsible for certificate validation, key management, and cryptographic primitives consumed by signing verification, TLS, EFS, and many authentication subsystems. CWE-287 (Improper Authentication) indicates that the service fails to correctly verify the identity or trust attributes of a caller or credential, enabling a local actor to assert a privileged identity it should not possess. Because CryptSvc runs in a NetworkService/SYSTEM context and is widely trusted by Windows components, an authentication bypass inside it typically translates directly into elevation to SYSTEM. The CPE data confirms the flaw spans Windows 11 23H2/24H2/25H2/26H1 (x64 and ARM64) and Windows Server 2022 and 2025, including Server Core.
RemediationAI
Vendor-released patch: apply the cumulative Windows updates that raise affected systems to at least build 10.0.22631.7219 (Windows 11 23H2), 10.0.26100.8655 (Windows 11 24H2), 10.0.26200.8655 (Windows 11 25H2), 10.0.28000.2269 (Windows 11 26H1), 10.0.20348.5256 (Windows Server 2022), or 10.0.26100.32995 (Windows Server 2025 / Server Core), as listed in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44810. There is no documented configuration workaround for CryptSvc itself, so until patching is complete, compensating controls should focus on limiting who can run code locally: restrict interactive and RDP logon rights on shared/jump hosts to vetted administrators (trade-off: blocks legitimate multi-user workloads), enforce application allowlisting via WDAC or AppLocker on terminal/Citrix servers to block arbitrary attacker binaries (trade-off: requires policy tuning), and prioritize EDR detections for unusual local elevation behavior on the listed builds.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35744
GHSA-6478-xjph-5qqp