CVE-2026-24290 Overview
CVE-2026-24290 is an improper access control vulnerability in the Windows Projected File System (ProjFS). The flaw allows an authorized local attacker to elevate privileges on affected Windows client and server versions. Microsoft published the advisory on March 10, 2026, and tracks the issue under [CWE-284: Improper Access Control].
ProjFS is a Windows component that allows user-mode providers to project hierarchical data into the file system namespace. When access checks within this component fail to enforce expected boundaries, a standard user can manipulate filesystem operations to gain SYSTEM-level rights.
Critical Impact
A locally authenticated attacker can escalate to higher privileges, compromising confidentiality, integrity, and availability on affected Windows endpoints and servers.
Affected Products
- Microsoft Windows 10 (1809, 21H2, 22H2) across x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64
- Microsoft Windows Server 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-03-10 - CVE-2026-24290 published to NVD
- 2026-03-13 - Last updated in NVD database
Technical Details for CVE-2026-24290
Vulnerability Analysis
The vulnerability resides in the Windows Projected File System (ProjFS), a kernel-mode component that exposes virtualized file content to user mode. The component fails to enforce proper access control on certain operations, allowing a low-privileged user to perform actions reserved for higher-privileged contexts.
Exploitation requires local access and valid credentials. The attack complexity is low, no user interaction is needed, and successful exploitation grants full impact across confidentiality, integrity, and availability. The vulnerability maps to [CWE-284: Improper Access Control].
Root Cause
The root cause is a missing or insufficient authorization check within ProjFS operations. The component treats certain filesystem reparse or callback paths as trusted without validating the caller's security context against the target object's access requirements. This permits unauthorized state changes that the operating system later honors at a higher privilege level.
Attack Vector
An attacker with a standard local account abuses ProjFS APIs or virtualized directory operations to influence file system actions performed by privileged components. By controlling reparse points, junctions, or projected content interpreted by SYSTEM-level processes, the attacker redirects writes or executions into protected locations. The end result is arbitrary code execution as SYSTEM or equivalent privilege elevation.
No public proof-of-concept code is available, and no verified exploitation samples have been released for this CVE. See the Microsoft Security Update CVE-2026-24290 advisory for technical details.
Detection Methods for CVE-2026-24290
Indicators of Compromise
- Unexpected creation or modification of reparse points and junctions in user-writable directories by non-administrative processes
- ProjFS provider registrations originating from unsigned or unusual binaries outside %ProgramFiles%
- New SYSTEM-context processes spawned from paths previously controlled by standard users
- Suspicious access to prjflt.sys or interactions with ProjFS callbacks from low-integrity processes
Detection Strategies
- Monitor Windows Security event logs for token elevation events (Event ID 4673, 4688) where the parent process runs at medium integrity but the child runs as SYSTEM
- Apply Sysmon File Create (Event ID 11) and FileCreateStreamHash (Event ID 15) rules targeting reparse point creation in user profile paths
- Correlate ProjFS API usage with subsequent privileged file writes to System32, scheduled tasks, or service binaries
Monitoring Recommendations
- Enable detailed Object Access auditing on sensitive directories such as %SystemRoot%\System32 and service configuration paths
- Track installation and loading of ProjFS providers, including driver load events for prjflt.sys
- Baseline normal use of PrjStartVirtualizing and related APIs in your environment and alert on deviations
How to Mitigate CVE-2026-24290
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-24290 to all affected Windows 10, Windows 11, and Windows Server systems
- Prioritize patching multi-user systems, terminal servers, and developer workstations where standard users have interactive logon rights
- Audit local account membership and remove unnecessary interactive logon permissions
- Verify endpoint protection coverage and ensure tamper protection is enforced on all managed devices
Patch Information
Microsoft has released security updates addressing CVE-2026-24290. Refer to the Microsoft Security Update CVE-2026-24290 page for the cumulative update KB numbers applicable to each Windows version. Install updates through Windows Update, WSUS, or your configured patch management workflow.
Workarounds
- If the Projected File System optional feature is not required, disable it using Disable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS until patches can be applied
- Restrict local interactive logon to trusted administrative users on high-value servers
- Enforce application control policies such as Windows Defender Application Control (WDAC) to limit which binaries can interact with ProjFS providers
# Disable Windows Projected File System where not required
Disable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart
# Verify the feature state
Get-WindowsOptionalFeature -Online -FeatureName Client-ProjFS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
