Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25175

CVE-2026-25175: Windows 10 Privilege Escalation Flaw

CVE-2026-25175 is a privilege escalation vulnerability in Windows 10 1607 caused by an out-of-bounds read in NTFS. Authorized attackers can exploit this locally to gain elevated privileges.

Updated:

CVE-2026-25175 Overview

CVE-2026-25175 is an out-of-bounds read vulnerability in the Windows New Technology File System (NTFS) driver. An authorized local attacker can exploit the flaw to elevate privileges on affected systems. Microsoft published the advisory on March 10, 2026, covering multiple supported releases of Windows 10, Windows 11, and Windows Server. The weakness is classified under [CWE-125: Out-of-bounds Read].

Critical Impact

Successful exploitation grants an attacker with low-privileged local access the ability to read kernel memory and escalate to SYSTEM-level privileges, resulting in full compromise of confidentiality, integrity, and availability.

Affected Products

  • Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64 builds
  • Microsoft Windows 11 23H2 (x64 and ARM64)
  • Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

  • 2026-03-10 - CVE-2026-25175 published to the National Vulnerability Database
  • 2026-03-10 - Microsoft releases security update guidance for CVE-2026-25175
  • 2026-03-13 - Last updated in NVD database

Technical Details for CVE-2026-25175

Vulnerability Analysis

The vulnerability resides in the NTFS driver (ntfs.sys), which parses on-disk metadata structures including the Master File Table (MFT), file records, and attribute lists. An out-of-bounds read occurs when the driver processes a crafted NTFS structure and references memory outside the bounds of an allocated buffer.

Because ntfs.sys runs in kernel mode, the leaked data can include sensitive kernel memory contents such as pool addresses, object pointers, and security tokens. An attacker can chain this information disclosure with other primitives to bypass Kernel Address Space Layout Randomization (KASLR) and achieve privilege escalation to SYSTEM.

Exploitation requires the attacker to be authenticated on the target with low privileges. No user interaction is required, and the attack complexity is low.

Root Cause

The root cause is missing or insufficient bounds validation when the NTFS driver reads attributes from a malformed file system structure. When the driver trusts a length or offset field embedded in attacker-controlled NTFS metadata, it indexes beyond the end of a kernel buffer, returning adjacent memory to the calling context.

Attack Vector

A local authenticated attacker mounts or accesses a specially crafted NTFS volume, such as a malicious VHD, ISO, or USB image. When NTFS parses the malformed structures, the out-of-bounds read triggers, exposing kernel memory that the attacker uses to stage a follow-on privilege escalation. Refer to the Microsoft Security Update Guide for CVE-2026-25175 for vendor technical details.

Detection Methods for CVE-2026-25175

Indicators of Compromise

  • Unexpected mounting of VHD, VHDX, or ISO images by non-administrative users
  • NTFS driver errors or bugchecks (0x00000024 / NTFS_FILE_SYSTEM) in System event logs
  • Newly created processes spawning under SYSTEM from a session that began as a standard user

Detection Strategies

  • Monitor for image-mount operations via Event ID 12289 in Microsoft-Windows-VHDMP-Operational and correlate with the invoking user context
  • Alert on low-privilege processes that immediately precede token or integrity-level changes to SYSTEM
  • Inspect kernel crash dumps for repeated faults inside ntfs.sys parsing routines

Monitoring Recommendations

  • Forward Windows Security, System, and Microsoft-Windows-Ntfs/Operational logs to a centralized SIEM for correlation
  • Track creation and attachment of removable media and disk image files on servers and privileged workstations
  • Baseline normal NTFS driver behavior and alert on abnormal volumes of file-system mount or dismount events

How to Mitigate CVE-2026-25175

Immediate Actions Required

  • Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-25175 to all affected Windows client and server builds
  • Prioritize patching multi-user systems, terminal servers, and shared workstations where local accounts are present
  • Restrict the ability of standard users to mount arbitrary disk images via Group Policy or AppLocker

Patch Information

Microsoft has released cumulative updates addressing CVE-2026-25175 for all listed Windows 10, Windows 11, and Windows Server versions. Patch identifiers and KB numbers for each affected build are available in the Microsoft Security Update Guide. Administrators should validate deployment through Windows Update for Business, WSUS, or their preferred patch management platform.

Workarounds

  • Block attachment of untrusted USB storage and disk image files through device control policies
  • Remove or restrict the SeManageVolumePrivilege and image-mount rights from non-administrative accounts
  • Disable auto-mount of removable media on servers that do not require it
bash
# Example: disable automatic mounting of new volumes via diskpart
diskpart
automount disable
automount scrub
exit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne