CVE-2026-26153 Overview
CVE-2026-26153 is an out-of-bounds read vulnerability in the Windows Encrypting File System (EFS) component. An authorized local attacker can exploit the flaw to elevate privileges on affected systems. The issue is tracked under CWE-125: Out-of-bounds Read and impacts a broad range of Windows client and server releases, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through Windows Server 2025. Microsoft published the advisory on April 14, 2026, and updated it on April 24, 2026. Successful exploitation can yield SYSTEM-level access on a compromised host.
Critical Impact
A local, authenticated attacker can read out-of-bounds memory in EFS to escalate privileges, gaining full confidentiality, integrity, and availability impact on the host.
Affected Products
- Microsoft Windows 10 (1809, 21H2, 22H2) across x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64
- Microsoft Windows Server 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-04-14 - Microsoft releases security update for CVE-2026-26153
- 2026-04-14 - CVE-2026-26153 published to the National Vulnerability Database
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-26153
Vulnerability Analysis
The vulnerability is an out-of-bounds read in the Windows Encrypting File System (EFS), a file-level encryption feature integrated into NTFS. EFS handles cryptographic metadata, key material, and access checks across kernel and user-mode boundaries. When EFS processes attacker-influenced input, it reads memory beyond an allocated buffer. The leaked data can include kernel pointers, structure fields, or fragments of cryptographic state that enable a local attacker to bypass mitigations and corrupt privileged structures.
The attack requires local access and low-privilege authentication. No user interaction is needed, and the attack complexity is low. The scope remains unchanged, but the impact on confidentiality, integrity, and availability is high because successful exploitation results in privilege elevation to SYSTEM. No public proof-of-concept code, exploit, or in-the-wild exploitation has been reported.
Root Cause
The root cause is improper bounds validation when EFS parses data structures, classified under CWE-125: Out-of-bounds Read. The component dereferences memory using attacker-controlled offsets or lengths without sufficient validation against the underlying buffer size. The disclosed bytes can be combined with separate primitives to defeat kernel address space layout randomization (KASLR) and stage a follow-on write or call into privileged code paths.
Attack Vector
Exploitation requires a local foothold. An attacker who has already executed code as a standard user, for example through phishing, a malicious installer, or a chained remote vulnerability, invokes the affected EFS code path. Crafted input triggers the out-of-bounds read, leaking memory contents back to the attacker process. The attacker uses the leaked information to elevate privileges, typically by corrupting EFS-managed structures or by enabling a paired primitive that yields arbitrary kernel execution.
No verified exploitation code is publicly available. Refer to the Microsoft Security Update for CVE-2026-26153 for vendor-provided technical context.
Detection Methods for CVE-2026-26153
Indicators of Compromise
- Unexpected child processes of lsass.exe, efsrpc-related services, or processes invoking EFS APIs such as EncryptFile, DecryptFile, or QueryUsersOnEncryptedFile from non-administrative accounts.
- New SYSTEM-context processes or scheduled tasks created shortly after standard-user activity touching encrypted files.
- Crashes or anomalous error events tied to EFS components in the Windows Event Log, particularly repeated faults in efsrpc.dll or efslsaext.dll.
Detection Strategies
- Hunt for local privilege escalation chains: a low-privilege process accessing EFS interfaces followed by token manipulation or SYSTEM-context spawns.
- Correlate Sysmon Event ID 10 (process access) and Event ID 1 (process creation) for handles opened against lsass.exe or EFS service processes from unusual binaries.
- Use behavioral AI identification, available in Singularity Endpoint, to flag anomalous privilege transitions and memory-disclosure patterns that precede elevation.
Monitoring Recommendations
- Centralize Windows Security, System, and Sysmon logs in a SIEM and alert on EFS service crashes paired with subsequent privilege changes.
- Monitor process integrity-level changes from Medium to System on workstations and servers running Windows 10, Windows 11, and Windows Server 2019 through 2025.
- Track installation status of the April 2026 security updates across the fleet to confirm patch coverage on every affected build listed in the advisory.
How to Mitigate CVE-2026-26153
Immediate Actions Required
- Apply the April 2026 Microsoft security updates for CVE-2026-26153 to all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize patching multi-user systems, terminal servers, and developer workstations where local accounts are most likely to be abused.
- Audit local accounts and remove unnecessary interactive logon rights to reduce the population of users able to trigger the local attack vector.
Patch Information
Microsoft addressed the vulnerability through cumulative updates released on April 14, 2026. Patch identifiers and download links for each affected build are listed in the Microsoft Security Update Guide for CVE-2026-26153. Confirm installation of the appropriate update for each operating system version in the affected products list, including ARM64, x64, and x86 variants where applicable.
Workarounds
- No official workaround is documented by Microsoft; installing the security update is the supported remediation.
- As a compensating control, restrict EFS usage on systems where it is not required by setting the NtfsDisableEncryption registry value or via Group Policy.
- Enforce least privilege and application control to limit which local users can execute untrusted binaries capable of invoking the vulnerable EFS code path.
# Verify the April 2026 cumulative update is installed (run in elevated PowerShell)
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
# Optional: Disable EFS on endpoints that do not require file-level encryption
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableEncryption /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
