CVE-2026-23671 Overview
CVE-2026-23671 is a race condition vulnerability in the Windows Bluetooth RFCOM Protocol Driver. The flaw stems from concurrent execution using a shared resource with improper synchronization [CWE-362]. An authenticated local attacker can exploit the timing window to elevate privileges on affected Windows systems.
Microsoft published the advisory on March 10, 2026. The vulnerability affects a broad range of Windows client and server versions, from Windows 10 1607 through Windows 11 26h1 and Windows Server 2016 through Windows Server 2025. Successful exploitation grants high impact to confidentiality, integrity, and availability on the targeted host.
Critical Impact
A local, authenticated attacker who wins the race condition can elevate privileges to SYSTEM, gaining full control over the affected Windows host.
Affected Products
- Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2) across x86, x64, and ARM64
- Microsoft Windows 11 (versions 23H2, 24H2, 25H2, 26H1) across x64 and ARM64
- Microsoft Windows Server 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-03-10 - CVE-2026-23671 published to NVD
- 2026-03-13 - Last updated in NVD database
Technical Details for CVE-2026-23671
Vulnerability Analysis
The Windows Bluetooth RFCOM Protocol Driver implements the RFCOMM transport layer used to emulate serial ports over Bluetooth. The driver handles concurrent I/O requests from user-mode callers and kernel-mode components. CVE-2026-23671 arises because the driver fails to properly synchronize access to a shared resource across these concurrent execution paths.
An attacker with local, authenticated access can issue carefully timed requests to the driver. By winning the race window between a check and a use, the attacker manipulates kernel state in a way the driver did not anticipate. The outcome is corruption or misuse of kernel objects that the driver assumed remained stable, enabling privilege elevation to SYSTEM.
The attack complexity is high because the attacker must reliably hit a narrow timing window. However, the impact across confidentiality, integrity, and availability is severe once exploitation succeeds.
Root Cause
The root cause is improper synchronization [CWE-362] around a shared kernel resource within the Bluetooth RFCOM Protocol Driver. Two or more code paths can access and modify the same resource simultaneously without adequate locking, reference counting, or atomic operations. This produces a time-of-check to time-of-use (TOCTOU) condition that an attacker can manipulate.
Attack Vector
Exploitation requires local access and low-privileged authenticated credentials. No user interaction is needed. The attacker triggers multiple concurrent operations against the RFCOMM driver, racing the kernel's handling of shared state. Because the attack vector is local rather than over the Bluetooth radio, the threat surface is post-compromise privilege escalation rather than remote takeover. Public exploit code is not currently available, and the EPSS probability remains low.
No verified proof-of-concept code is publicly available. Refer to the Microsoft CVE-2026-23671 Update Guide for vendor technical details.
Detection Methods for CVE-2026-23671
Indicators of Compromise
- Unexpected SYSTEM-level processes spawned from user-context sessions shortly after Bluetooth service interaction
- Crashes or bug checks involving bthport.sys, rfcomm.sys, or related Bluetooth kernel components
- Anomalous handle activity or repeated IOCTL calls to Bluetooth RFCOMM device objects from non-administrative processes
Detection Strategies
- Monitor for processes that open handles to Bluetooth RFCOMM device interfaces and subsequently spawn elevated child processes
- Hunt for kernel crash dumps referencing the RFCOMM driver in environments where Bluetooth is not actively used
- Correlate local logon events with subsequent privilege escalation indicators on the same host within short time windows
Monitoring Recommendations
- Enable kernel-mode driver telemetry and forward Windows Error Reporting bucket data to your SIEM for correlation
- Track installed patch levels across the fleet and flag endpoints missing the March 2026 Microsoft security updates
- Audit which endpoints have the Bluetooth stack enabled and prioritize monitoring on systems where it is unnecessary
How to Mitigate CVE-2026-23671
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-23671 Update Guide to all affected Windows client and server systems
- Prioritize patching on shared workstations, kiosks, and any system where untrusted users hold local logon rights
- Inventory endpoints with active Bluetooth hardware and confirm the RFCOMM driver is updated
Patch Information
Microsoft has released cumulative security updates addressing CVE-2026-23671 for all listed Windows versions. Consult the Microsoft CVE-2026-23671 Update Guide to identify the specific KB articles for each supported build. Deploy the updates through Windows Update, WSUS, Microsoft Intune, or Configuration Manager according to your standard change-management process.
Workarounds
- Disable the Bluetooth service (bthserv) on systems that do not require Bluetooth connectivity until patches are deployed
- Disable or remove Bluetooth radio hardware in Device Manager on servers and fixed-function workstations
- Restrict interactive local logon rights to trusted administrators where feasible to reduce the population of users who can attempt exploitation
# Example: disable the Bluetooth Support Service on Windows hosts
sc.exe config bthserv start= disabled
sc.exe stop bthserv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
