CVE-2026-26163 Overview
CVE-2026-26163 is a double free vulnerability [CWE-415] in the Microsoft Windows Kernel. An authorized local attacker can exploit the flaw to elevate privileges on affected systems. Successful exploitation enables an attacker holding a low-privileged account to gain SYSTEM-level access, resulting in full compromise of confidentiality, integrity, and availability.
Microsoft published the advisory on April 14, 2026, covering supported Windows 10, Windows 11, and Windows Server editions. The vulnerability requires no user interaction and has low attack complexity, making it attractive for post-compromise stages of an intrusion.
Critical Impact
A local authenticated attacker can trigger a kernel double free to escalate from a standard user account to SYSTEM, gaining complete control over the host.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1)
- Microsoft Windows Server 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-04-14 - CVE-2026-26163 published to NVD and Microsoft Security Response Center advisory released
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-26163
Vulnerability Analysis
The issue is a double free condition in the Windows Kernel. A double free occurs when the same memory region is released to the heap allocator more than once. In kernel context, this corrupts pool metadata and the free list, creating a window for an attacker to influence subsequent allocations.
An attacker who controls the timing and content of follow-on allocations can place attacker-chosen data where a freed kernel object previously resided. When the kernel later dereferences pointers from that object, the attacker gains a primitive to read or write kernel memory. Skilled exploitation typically converts this into arbitrary code execution at ring 0 or direct token replacement to obtain SYSTEM.
Root Cause
The underlying defect is improper tracking of object lifetime within a kernel allocation path. A code path frees a pool-allocated object and then a second cleanup or error-handling routine frees the same pointer without nulling or reference-counting it. Microsoft has not published implementation specifics. The flaw maps to [CWE-415: Double Free].
Attack Vector
Exploitation requires local access and valid credentials on the target. The attacker runs a crafted program that triggers the vulnerable kernel code path, sprays the kernel pool to control allocations around the freed object, and reclaims the freed slot with a controlled structure. No user interaction is needed once the attacker has code execution as a standard user.
No public proof-of-concept code is available at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Microsoft has not reported in-the-wild exploitation.
Detection Methods for CVE-2026-26163
Indicators of Compromise
- Unexpected BAD_POOL_HEADER (0x00000019) or KERNEL_MODE_HEAP_CORRUPTION (0x13A) bugcheck events on patched-out hosts indicating attempted exploitation.
- Standard user processes spawning child processes that run as NT AUTHORITY\SYSTEM without a legitimate elevation path.
- New services, scheduled tasks, or driver loads created immediately after a non-privileged process executes an unsigned binary from a user-writable directory.
Detection Strategies
- Hunt for token manipulation patterns where a non-elevated process suddenly possesses a SYSTEM access token, observable through Sysmon Event ID 1 with mismatched IntegrityLevel values.
- Monitor Windows Event Log channel Microsoft-Windows-Kernel-General for repeated pool corruption or unexpected kernel exceptions correlated with a single user session.
- Correlate process creation telemetry with kernel crash dumps; clusters of crashes traced to the same parent process indicate exploitation attempts.
Monitoring Recommendations
- Centralize kernel crash dumps and Windows Error Reporting data in a SIEM for fleet-wide trending of pool corruption events.
- Enable command-line auditing and PowerShell ScriptBlock logging to capture the loader stage of local privilege escalation toolkits.
- Track installation of unsigned or newly observed drivers, which commonly accompany post-exploitation persistence after a kernel EoP.
How to Mitigate CVE-2026-26163
Immediate Actions Required
- Apply the April 2026 Microsoft security update referenced in the Microsoft Security Update CVE-2026-26163 advisory to all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize multi-user systems, jump hosts, terminal servers, and developer workstations where untrusted local code execution is more likely.
- Review and reduce the number of accounts that hold interactive logon rights on sensitive servers to shrink the local attack surface.
Patch Information
Microsoft has released cumulative updates addressing CVE-2026-26163 across all supported Windows client and server SKUs listed in the affected products table. Refer to the Microsoft Security Update CVE-2026-26163 advisory for the exact KB article and build numbers that apply to each Windows version, including Windows 10 1607/1809/21H2/22H2, Windows 11 23H2/24H2/25H2/26H1, and Windows Server 2012 R2 through 2025.
Workarounds
- No vendor-supplied workaround exists; patching is the only supported remediation.
- Enforce least privilege and remove local administrator rights from standard users to limit the value of a successful escalation.
- Use application control policies such as Windows Defender Application Control or AppLocker to block execution of unsigned binaries from user-writable paths.
# Configuration example: verify patch status on a Windows host
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
wmic qfe list brief /format:table
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
