CVE-2026-20922 Overview
CVE-2026-20922 is a heap-based buffer overflow vulnerability in the Windows New Technology File System (NTFS) driver. An authorized local attacker can trigger the flaw to execute arbitrary code on the affected system. The issue is tracked under [CWE-122] and affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 25H2 and Windows Server 2008 through Windows Server 2025. Microsoft published the advisory on January 13, 2026 and rated the issue High severity. Successful exploitation can yield full compromise of confidentiality, integrity, and availability on the targeted host.
Critical Impact
A local, authenticated attacker can corrupt heap memory in the NTFS driver and execute code in an elevated context, leading to full system compromise.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2, 25H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-01-13 - CVE-2026-20922 published to NVD
- 2026-01-15 - Last updated in NVD database
Technical Details for CVE-2026-20922
Vulnerability Analysis
The vulnerability resides in the NTFS file system driver, which is responsible for parsing on-disk metadata structures such as the Master File Table (MFT), attribute headers, and index records. A heap-based buffer overflow occurs when the driver allocates a buffer based on one size value and then writes a larger quantity of data into that buffer. The overflow corrupts adjacent kernel pool memory, which an attacker can shape to overwrite function pointers or object headers used by the kernel.
Because NTFS code paths execute in kernel mode, successful memory corruption typically results in code execution at SYSTEM. The vulnerability requires local access and low privileges, with no user interaction. An attacker with the ability to mount, attach, or otherwise present an attacker-controlled NTFS volume — including a crafted VHD or VHDX image — can reach the vulnerable parsing routine.
Root Cause
The root cause is improper validation of size or length fields embedded in NTFS on-disk structures before they are used to drive heap memory operations. When a malformed attribute or index entry specifies a length that exceeds the allocated buffer, the driver performs an out-of-bounds write on the heap, corrupting kernel pool chunks.
Attack Vector
Exploitation is local and requires authenticated access to the target host. A common path is presenting a maliciously crafted NTFS volume, such as a VHD or ISO file, and inducing the operating system to parse it. Once parsing reaches the vulnerable routine, the attacker shapes the kernel heap to convert the overflow into arbitrary code execution. Public proof-of-concept code is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. No verified exploit code is published; refer to the Microsoft Security Update Guide for CVE-2026-20922 for vendor-supplied technical details.
Detection Methods for CVE-2026-20922
Indicators of Compromise
- Unexpected mounting of VHD, VHDX, or ISO files by non-administrative users, particularly from user-writable directories such as %TEMP% or Downloads.
- Kernel-mode crashes referencing ntfs.sys in Windows Error Reporting or memory dumps, including bug checks such as KERNEL_MODE_HEAP_CORRUPTION or SYSTEM_SERVICE_EXCEPTION.
- Creation of new SYSTEM-level processes or services spawned from user-context parent processes shortly after disk image access.
Detection Strategies
- Monitor for low-privileged processes invoking disk image mount APIs (Mount-DiskImage, Mount-VHD) or interacting with \Device\Vhd and \Device\NTFS device objects.
- Correlate file-system filter driver events with subsequent kernel crashes or token elevation to identify likely exploitation attempts.
- Hunt for anomalous parent-child process relationships where local privilege escalation results in SYSTEM-context child processes.
Monitoring Recommendations
- Enable kernel crash dump collection and forward dumps to a central analysis pipeline for triage of NTFS-related faults.
- Audit Sysmon Event ID 1 (process creation) and Event ID 11 (file create) for disk image artifacts handled by standard user accounts.
- Track Windows Defender Application Control (WDAC) and AppLocker events that block or allow mounting of removable disk images.
How to Mitigate CVE-2026-20922
Immediate Actions Required
- Apply the January 2026 Microsoft security update for all affected Windows client and server SKUs as soon as testing permits.
- Inventory hosts running unsupported or extended-support builds, including Windows Server 2008 and 2012, and prioritize them for patching or isolation.
- Restrict the ability of standard users to mount disk images by enforcing Group Policy and least-privilege access on file shares hosting VHD or ISO artifacts.
Patch Information
Microsoft has released security updates addressing CVE-2026-20922. Detailed patch identifiers, replaced KBs, and per-version download links are available from the Microsoft Security Update Guide for CVE-2026-20922. Administrators should validate patch deployment through Windows Update for Business, WSUS, Intune, or Configuration Manager reporting.
Workarounds
- Block standard users from mounting VHD, VHDX, and ISO files by configuring Group Policy and removing the SeManageVolumePrivilege from non-administrative accounts.
- Use Windows Defender Application Control or AppLocker to prevent execution of untrusted disk-image utilities such as diskpart.exe and PowerShell Mount-DiskImage for non-admin users.
- Disable automatic mounting of removable media and disk images via registry policy where business workflows allow.
# Example: disable automount of new volumes on Windows hosts
diskpart
automount disable
automount scrub
exit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
