CVE-2026-35418 Overview
CVE-2026-35418 is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys). An authorized local attacker can exploit the flaw to elevate privileges on the affected host. Microsoft tracks the underlying weakness as a Time-of-Check Time-of-Use (CWE-367) race condition that leads to memory being freed and reused. Successful exploitation yields high impact to confidentiality, integrity, and availability. The vulnerability affects supported Windows client and server releases, including Windows 10, Windows 11, and Windows Server 2019 through 2025.
Critical Impact
Local privilege escalation to SYSTEM through a kernel-mode mini filter driver, enabling full compromise of the affected Windows host.
Affected Products
- Microsoft Windows 10 (1809, 21H2, 22H2) on x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) on x64 and ARM64
- Microsoft Windows Server 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-35418 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-35418
Vulnerability Analysis
The Cloud Files Mini Filter Driver (cldflt.sys) brokers I/O between user-mode cloud sync providers and the NTFS file system. It exposes placeholder file operations through filter callbacks and reparse point handling. The driver tracks per-file context objects whose lifetime depends on reference counts maintained during callback execution.
A local attacker who can issue file system operations against placeholder files can race two concurrent requests against the same context object. The driver validates the object once, then dereferences it after another thread has released the underlying allocation. Reuse of the freed kernel memory grants the attacker write access to adjacent pool structures.
Root Cause
The defect is a TOCTOU race condition classified as [CWE-367]. The driver checks an object state, yields to another thread, and then operates on memory whose ownership has changed. Because validation and use are not atomic, the freed object is dereferenced as if still valid, producing the use-after-free condition.
Attack Vector
Exploitation requires local code execution with low-privilege user rights and no user interaction. The attacker must win a narrow timing window, which is reflected in the high attack complexity. A successful race overwrites kernel pool memory with attacker-controlled data, enabling arbitrary kernel read and write primitives. From there, an attacker can replace a process token with a SYSTEM token to complete privilege escalation.
No public proof-of-concept is available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog. See the Microsoft Security Update for CVE-2026-35418 for additional technical context.
Detection Methods for CVE-2026-35418
Indicators of Compromise
- Unexpected loading or interaction with cldflt.sys from non-cloud-provider processes.
- Kernel bug checks referencing cldflt.sys, particularly BAD_POOL_HEADER or DRIVER_VERIFIER_DETECTED_VIOLATION.
- New processes spawning with SYSTEM integrity from a parent running at medium integrity.
- Anomalous creation or manipulation of placeholder files under %USERPROFILE% cloud sync directories by non-sync processes.
Detection Strategies
- Monitor process token changes where a non-elevated parent obtains a SYSTEM-level child process.
- Enable Driver Verifier on cldflt.sys in test environments to surface pool corruption during suspected exploitation.
- Correlate file system mini filter activity with abnormal handle duplication and IOCTL volume from unprivileged users.
Monitoring Recommendations
- Forward Windows kernel event logs and crash dump telemetry to a centralized analytics platform for trend analysis.
- Track installation status of the Microsoft security update across endpoints and servers using configuration management.
- Alert on local privilege escalation patterns such as token theft, parent-child integrity mismatches, and abuse of file system filter drivers.
How to Mitigate CVE-2026-35418
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-35418 to all affected Windows builds.
- Prioritize multi-user systems, terminal servers, and developer workstations where local accounts can run untrusted code.
- Audit endpoints for unexpected use of cloud placeholder APIs by unprivileged users.
Patch Information
Microsoft has released cumulative security updates that address the use-after-free in cldflt.sys across Windows 10, Windows 11, and Windows Server. Refer to the Microsoft Security Update for CVE-2026-35418 for the specific KB articles and build numbers that correspond to each affected release.
Workarounds
- No vendor-supplied workaround replaces the patch; install the update at the earliest maintenance window.
- Restrict interactive logon to trusted users on shared systems to reduce the local attacker pool.
- Disable cloud sync providers on hosts that do not require placeholder file functionality, which reduces reachability of cldflt.sys code paths.
# Verify patch level on a Windows host (PowerShell)
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
# Confirm version of the Cloud Files Mini Filter Driver
Get-Item C:\Windows\System32\drivers\cldflt.sys | Select-Object VersionInfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
