CVE-2026-23672: Windows 10 1607 Privilege Escalation Flaw

CVE-2026-23672 Overview

CVE-2026-23672 is an elevation of privilege vulnerability in the Windows Universal Disk Format File System Driver (UDFS). The flaw is rooted in an out-of-bounds read condition [CWE-125] within the kernel-mode driver responsible for parsing UDF-formatted media. An authenticated local attacker can leverage the issue to elevate privileges on an affected Windows system. Microsoft has rated the vulnerability HIGH with a CVSS 3.1 score of 7.8. The defect affects a wide range of supported Windows client and server releases, from Windows 10 1607 through Windows 11 26H1, and from Windows Server 2012 through Windows Server 2025.

Critical Impact

Successful exploitation allows a local, low-privileged user to gain SYSTEM-level privileges on the targeted host, leading to complete confidentiality, integrity, and availability compromise.

Affected Products

• Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64 architectures
• Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64 architectures
• Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

• 2026-03-10 - CVE-2026-23672 published to the National Vulnerability Database
• 2026-03-13 - Last updated in the NVD database

Technical Details for CVE-2026-23672

Vulnerability Analysis

The vulnerability resides in the Windows UDFS kernel driver (udfs.sys), which implements the Universal Disk Format file system used primarily for optical media such as DVDs and Blu-ray discs. The driver performs an out-of-bounds read while parsing structures contained in UDF-formatted volumes. Because UDFS runs in kernel mode, memory disclosed or interpreted incorrectly during parsing can be repurposed to influence kernel control flow or to leak pointers needed to defeat KASLR. The defect is classified under [CWE-125] (Out-of-bounds Read).

Exploitation requires local access and low privileges. No user interaction is needed once the malicious volume is mounted or accessed. The scope is unchanged, but successful exploitation grants full SYSTEM privileges, providing the attacker complete control of the host.

Root Cause

The root cause is insufficient bounds validation when the UDFS driver reads metadata fields from a crafted file system structure. Length or offset fields embedded in the volume are trusted without validation against the size of the underlying buffer, allowing the driver to read past the intended boundary. The disclosed memory or corrupted state is then used in subsequent operations, opening a path to privilege escalation.

Attack Vector

An attacker with local access stages a malicious UDF image, such as an .iso file or a virtual disk, and triggers UDFS to parse it. Modern Windows builds auto-mount ISO files on double-click and parse mounted virtual media without elevation, which keeps the privilege requirement low. The attacker chains the out-of-bounds read with additional primitives to derive kernel addresses or to manipulate driver state, ultimately executing code or modifying tokens at SYSTEM integrity.

// No public proof-of-concept is available for CVE-2026-23672.
// Refer to the Microsoft Security Response Center advisory for technical guidance.

Detection Methods for CVE-2026-23672

Indicators of Compromise

• Unexpected mounting of .iso, .img, or UDF-formatted virtual disks on endpoints that do not normally process optical media
• Bug checks or stack traces referencing udfs.sys in kernel crash dumps
• Creation of new SYSTEM-level processes spawned by a non-administrative user session shortly after volume mount events

Detection Strategies

• Hunt for Mount-DiskImage PowerShell invocations and shell-initiated ISO mounts originating from standard user contexts
• Monitor kernel telemetry for anomalous access patterns involving udfs.sys and correlate with subsequent token manipulation events
• Alert on user-to-SYSTEM privilege transitions where the parent process chain includes Explorer-driven disk image handling

Monitoring Recommendations

• Enable Windows kernel-mode driver auditing and forward Sysmon Event IDs 1, 10, and 11 to a centralized analytics platform
• Track Windows Event ID 4688 for process creations under elevated tokens following file system driver activity
• Establish baselines for legitimate UDF media usage and flag deviations, particularly on servers and developer workstations

How to Mitigate CVE-2026-23672

Immediate Actions Required

• Apply the March 2026 Microsoft security update for all affected Windows client and server SKUs as identified in the MSRC advisory
• Prioritize patching on multi-user systems, jump hosts, and virtual desktop infrastructure where local low-privileged access is common
• Restrict the ability of standard users to mount disk images via Group Policy or AppLocker rules

Patch Information

Microsoft has issued an official fix as part of its monthly security update cycle. Patch guidance and binary mappings for each affected Windows build are published in the Microsoft CVE-2026-23672 Advisory. Administrators should validate that the cumulative update is installed and that udfs.sys reflects the patched version.

Workarounds

• Disable automatic mounting of ISO and VHD files for non-administrative users through file association and Group Policy controls
• Block delivery of UDF-formatted disk images at the email gateway and web proxy until patches are deployed
• Remove or restrict the UDFS driver on systems that have no operational requirement to read optical or UDF media

# Verify the installed udfs.sys version on a Windows host (PowerShell)
Get-Item C:\Windows\System32\drivers\udfs.sys | Select-Object VersionInfo

# Disable ISO file association for standard users via registry (example)
reg add "HKLM\Software\Classes\Windows.IsoFile\shell\mount" /v ProgrammaticAccessOnly /t REG_SZ /d "" /f