CVE-2026-41095 Overview
CVE-2026-41095 is a use-after-free vulnerability [CWE-416] in the Windows Data Deduplication component. An authorized local attacker can exploit the flaw to elevate privileges on affected Windows Server systems. Microsoft assigned the issue a CVSS 3.1 base score of 7.8 under the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Successful exploitation grants the attacker high impact to confidentiality, integrity, and availability on the target host. The vulnerability affects multiple supported Windows Server releases, including Windows Server 2012 R2 through Windows Server 2025.
Critical Impact
A low-privileged local user can trigger memory reuse in the Data Deduplication service to execute code with elevated privileges on the host.
Affected Products
- Microsoft Windows Server 2012 R2, 2016, 2019
- Microsoft Windows Server 2022 and 2022 23H2
- Microsoft Windows Server 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-41095 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-41095
Vulnerability Analysis
The vulnerability resides in the Windows Data Deduplication subsystem, which optimizes storage by identifying and consolidating duplicate file chunks. A use-after-free condition occurs when the component continues to reference memory after it has been released. An authorized local user can interact with the Data Deduplication service to reach the vulnerable code path. Reusing the freed object allows attacker-controlled data to be interpreted as a valid kernel or service structure. This leads to local privilege escalation, granting the attacker SYSTEM-level execution on the affected host.
Root Cause
The defect is a classic use-after-free [CWE-416]. The Data Deduplication component releases a heap object but retains a dangling pointer that is later dereferenced. When the freed memory is reallocated with attacker-influenced contents, the stale reference causes the service to operate on a corrupted object. The lifecycle of the affected object is not adequately synchronized between allocation, release, and subsequent access.
Attack Vector
Exploitation requires local access and low privileges on the target server. No user interaction is needed. The attacker invokes Data Deduplication functionality through documented interfaces, triggers the race or sequencing flaw that frees the object, and forces a controlled reallocation before the dangling pointer is reused. Because the flaw is local-only, network-based exploitation is not possible without an initial foothold on the server.
No verified public exploit or proof-of-concept code is currently available. See the Microsoft CVE-2026-41095 Update for vendor-specific technical context.
Detection Methods for CVE-2026-41095
Indicators of Compromise
- Unexpected crashes or restarts of the Data Deduplication service (ddpsvc, ddpcli) or related kernel components.
- Creation of new privileged accounts or services following Data Deduplication activity from a non-administrative user context.
- Anomalous process tokens where a previously low-privileged process gains SYSTEM integrity.
Detection Strategies
- Monitor for low-privileged users invoking Data Deduplication APIs or PowerShell cmdlets such as Start-DedupJob, Get-DedupStatus, and related management calls.
- Correlate service crash events in the Windows Application and System logs with subsequent token elevation or child process creation.
- Hunt for process injection patterns or unsigned binaries spawned by Data Deduplication service processes.
Monitoring Recommendations
- Enable detailed audit logging for privilege use and process creation (Event IDs 4673, 4688) on file servers with Data Deduplication enabled.
- Forward telemetry from file servers to a centralized SIEM or data lake for behavioral correlation.
- Baseline normal Data Deduplication job scheduling and alert on out-of-band invocations from interactive user sessions.
How to Mitigate CVE-2026-41095
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-41095 Update advisory to all affected Windows Server hosts.
- Inventory file servers with the Data Deduplication role installed and prioritize them for patching.
- Restrict interactive and remote logon rights on servers running Data Deduplication to trusted administrators only.
Patch Information
Microsoft has released security updates addressing CVE-2026-41095 for Windows Server 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025. Refer to the Microsoft Security Response Center advisory at Microsoft CVE-2026-41095 Update for the appropriate KB articles and installation packages for each affected build.
Workarounds
- Disable the Data Deduplication role on servers where it is not required until the patch can be applied.
- Limit local logon and remote desktop access on storage servers to reduce the pool of users who can trigger the vulnerability.
- Enforce least-privilege access policies and remove unnecessary local accounts from affected systems.
# Verify and remove the Data Deduplication role on a Windows Server host
Get-WindowsFeature -Name FS-Data-Deduplication
Uninstall-WindowsFeature -Name FS-Data-Deduplication -Restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
