CVE-2026-35420 Overview
CVE-2026-35420 is a heap-based buffer overflow vulnerability in the Microsoft Windows Kernel. An authenticated local attacker can exploit the flaw to elevate privileges on affected Windows Server systems. The vulnerability is classified under [CWE-122] (Heap-based Buffer Overflow) and impacts multiple supported Windows Server releases, from Windows Server 2012 through Windows Server 2025. Microsoft published the advisory on May 12, 2026, and no public proof-of-concept exploit or in-the-wild exploitation has been reported.
Critical Impact
Successful exploitation grants SYSTEM-level privileges on the affected host, enabling full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows Server 2012 and Windows Server 2012 R2
- Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2
- Microsoft Windows Server 2025
Discovery Timeline
- 2026-05-12 - Microsoft publishes advisory for CVE-2026-35420
- 2026-05-12 - CVE-2026-35420 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-35420
Vulnerability Analysis
The vulnerability resides in the Windows Kernel and stems from a heap-based buffer overflow condition. An authenticated attacker with low privileges on the target system can trigger the overflow through a crafted local interaction with the kernel. Because the overflow occurs in kernel memory, successful exploitation corrupts adjacent heap structures and allows the attacker to influence kernel execution flow.
The flaw requires local access and valid credentials, but no user interaction is needed. Once exploited, the attacker obtains SYSTEM-level privileges, providing full control over the host. This class of vulnerability is commonly chained with remote code execution flaws or initial-access techniques to escalate from a standard user context to full administrative control.
Root Cause
The root cause is improper validation of buffer size during a heap allocation or write operation within the Windows Kernel. When an undersized buffer is allocated relative to the data written, adjacent heap metadata and objects are overwritten. Attackers can leverage kernel heap-spraying techniques to position attacker-controlled data adjacent to the vulnerable allocation, enabling arbitrary kernel write primitives.
Attack Vector
Exploitation requires local access to the system with a valid low-privileged account. The attacker invokes the vulnerable kernel code path through a system call, IOCTL, or other user-to-kernel interface. The crafted input triggers the out-of-bounds write in the kernel heap, leading to memory corruption that the attacker uses to overwrite security tokens or function pointers and achieve privilege escalation.
No verified public exploit code is available. Refer to the Microsoft CVE-2026-35420 Advisory for vendor technical details.
Detection Methods for CVE-2026-35420
Indicators of Compromise
- Unexpected process token elevation where a low-privileged process suddenly executes with SYSTEM privileges.
- Kernel-mode bug checks or crash dumps referencing heap corruption in ntoskrnl.exe.
- Anomalous IOCTL or system call patterns from non-administrative user sessions targeting kernel drivers.
Detection Strategies
- Monitor Windows Event Logs for kernel crashes, Event ID 41 (Kernel-Power), and unexpected service restarts following user activity.
- Deploy endpoint detection and response (EDR) tooling capable of identifying behavioral anomalies tied to local privilege escalation, such as token theft and parent-child process mismatches.
- Correlate authentication events with subsequent process creation events to detect privilege transitions inconsistent with normal user behavior.
Monitoring Recommendations
- Forward Windows Security, System, and Sysmon logs to a centralized analytics platform for retrospective hunting.
- Track creation of new services, scheduled tasks, or drivers initiated by previously low-privileged accounts.
- Alert on processes spawning with NT AUTHORITY\SYSTEM integrity from non-system parent processes.
How to Mitigate CVE-2026-35420
Immediate Actions Required
- Apply the security update referenced in the Microsoft CVE-2026-35420 Advisory to all affected Windows Server systems.
- Inventory Windows Server 2012 through 2025 hosts and prioritize patching for systems exposing interactive logon, Remote Desktop, or terminal services.
- Audit local accounts and remove unnecessary interactive logon rights to reduce the attack surface for local exploitation.
Patch Information
Microsoft has released security updates addressing CVE-2026-35420 through the May 2026 Patch Tuesday cycle. Administrators should consult the Microsoft CVE-2026-35420 Advisory for the specific KB articles applicable to each Windows Server version and deploy updates through Windows Update, WSUS, or Microsoft Update Catalog.
Workarounds
- No vendor-supplied workaround exists. Patching is the only supported remediation.
- Restrict local logon to trusted administrators where feasible, using Group Policy User Rights Assignment to limit Allow log on locally.
- Enforce the principle of least privilege and disable unused services that expose kernel attack surface to standard users.
# Verify installed updates on a Windows Server host
wmic qfe list brief /format:table
# Trigger Windows Update scan and install via PowerShell
USoClient.exe StartScan
USoClient.exe StartDownload
USoClient.exe StartInstall
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
