CVE-2026-32074 Overview
CVE-2026-32074 is a double free vulnerability [CWE-415] in the Windows Projected File System (ProjFS). The flaw allows an authenticated local attacker to elevate privileges on affected Windows desktop and server editions. Microsoft published the advisory on April 14, 2026, and the issue affects a broad range of supported Windows 10, Windows 11, and Windows Server releases. Successful exploitation can yield SYSTEM-level code execution from a low-privilege context.
Critical Impact
An authorized local attacker can trigger a double free in the Windows Projected File System driver to escalate to SYSTEM, gaining full control over confidentiality, integrity, and availability of the host.
Affected Products
- Microsoft Windows 10 (1809, 21H2, 22H2) across x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64
- Microsoft Windows Server 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-04-14 - CVE-2026-32074 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-32074
Vulnerability Analysis
The Windows Projected File System (ProjFS) is a kernel-mode component that lets user-mode providers project hierarchical data into the file system namespace. Tools such as Git Virtual File System rely on it to materialize files on demand.
CVE-2026-32074 stems from a double free condition in ProjFS. The driver releases the same heap allocation twice during a specific request flow. The second free corrupts kernel heap metadata, which an attacker can shape to redirect execution or pivot to arbitrary kernel memory writes.
The vulnerability requires local access and low privileges. No user interaction is needed. Successful exploitation results in a complete compromise of the host operating system.
Root Cause
The underlying defect is classified as [CWE-415] Double Free. ProjFS fails to clear or invalidate a pointer after the first deallocation. A subsequent code path treats the stale pointer as valid and frees the same chunk again. Attackers race or sequence ProjFS operations to reach the vulnerable cleanup path.
Attack Vector
The attack vector is local. An attacker who can run code on the target host invokes ProjFS APIs or interacts with a projected virtualization root to drive the driver into the vulnerable state. Because ProjFS executes in kernel context, a successful double free yields kernel-level corruption, which adversaries weaponize for token theft or direct elevation to NT AUTHORITY\SYSTEM.
No public proof-of-concept code is available at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Microsoft has not reported observed in-the-wild exploitation.
Detection Methods for CVE-2026-32074
Indicators of Compromise
- Unexpected creation or mounting of ProjFS virtualization roots by non-administrative processes.
- System crashes or bug checks referencing PrjFlt.sys or the ProjFS driver stack.
- Sudden token changes where a low-privilege process acquires a SYSTEM token without an authenticated logon event.
Detection Strategies
- Hunt for low-integrity processes loading or interacting with ProjFS user-mode libraries such as ProjectedFSLib.dll.
- Correlate kernel pool corruption telemetry and Windows Error Reporting crash dumps that reference the ProjFS driver.
- Alert on parent-child anomalies where a standard user process spawns SYSTEM-level children shortly after ProjFS API activity.
Monitoring Recommendations
- Enable Microsoft-Windows-ProjFS operational and diagnostic event logs and forward them to a centralized analytics platform.
- Monitor for the Optional Features change events that enable the Projected File System component on hosts that do not require it.
- Track local privilege escalations using Sysmon Event ID 1 combined with integrity level transitions.
How to Mitigate CVE-2026-32074
Immediate Actions Required
- Apply the Microsoft security update for CVE-2026-32074 to all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize patching on multi-user systems, terminal servers, and developer workstations where ProjFS is commonly enabled.
- Audit endpoints for the presence of the Projected File System optional feature and disable it on hosts that do not require ProjFS-dependent tooling.
Patch Information
Microsoft has released fixes through the April 2026 security update cycle. Refer to the Microsoft Security Update CVE-2026-32074 advisory for the specific KB articles that apply to each affected build. Install the cumulative update appropriate to the OS version and verify the patch level using winver or Get-HotFix.
Workarounds
- Disable the Projected File System Windows optional feature on systems that do not depend on Git Virtual File System or similar projection providers.
- Restrict local logon rights and remove unnecessary interactive accounts to reduce the pool of users who can stage a local exploit.
- Apply application control policies such as Windows Defender Application Control to block untrusted binaries from invoking ProjFS APIs.
# Disable the Projected File System optional feature on hosts that do not require it
Disable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart
# Verify installed updates after patching
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
