CVE-2026-42837 Overview
CVE-2026-42837 is a buffer over-read vulnerability in the Windows Projected File System (ProjFS) Filter Driver. An authorized local attacker can exploit the flaw to elevate privileges on affected systems. The weakness is classified under [CWE-125] (Out-of-bounds Read) and carries a CVSS 3.1 base score of 7.8. Microsoft has published an advisory through the Microsoft Security Update Guide. The vulnerability affects a broad range of Windows client and server releases, including Windows 10, Windows 11, and Windows Server 2019 through 2025. EPSS currently rates the exploit probability at 0.06%.
Critical Impact
A local low-privileged user can leverage the ProjFS filter driver flaw to achieve elevation of privilege, gaining high impact on confidentiality, integrity, and availability of the affected host.
Affected Products
- Microsoft Windows 10 (1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1)
- Microsoft Windows Server 2019, 2022, and 2025
Discovery Timeline
- 2026-06-09 - CVE-2026-42837 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-42837
Vulnerability Analysis
The Windows Projected File System (ProjFS) Filter Driver mediates virtualized file system projections used by applications such as Git Virtual File System. The driver runs in kernel mode and processes user-supplied requests from local callers. A buffer over-read condition in the driver allows an authenticated attacker to read memory beyond an allocated buffer boundary. Exploitation leads to privilege escalation rather than information disclosure alone, indicating the over-read can be combined with adjacent kernel state manipulation. Successful attacks yield SYSTEM-level execution on the affected host.
Root Cause
The defect stems from improper bounds checking in the ProjFS filter driver when handling input structures from user mode. The driver reads past the end of a buffer, returning kernel memory contents or corrupting state used in subsequent privileged operations. This pattern aligns with [CWE-125] and is typical of driver code that trusts caller-supplied length fields without validating against the actual allocated size.
Attack Vector
Exploitation requires local access and low-privilege authentication. No user interaction is needed, and the attack runs against the local kernel attack surface. An attacker who already has code execution as a standard user can invoke ProjFS driver interfaces with crafted parameters to trigger the over-read. The resulting kernel state can be manipulated to escalate to SYSTEM, enabling persistence, credential theft, or disabling of security controls.
No public proof-of-concept code is currently available. See the Microsoft Security Update Guide for vendor technical details.
Detection Methods for CVE-2026-42837
Indicators of Compromise
- Unexpected child processes spawning under SYSTEM context from standard user sessions on hosts where ProjFS is enabled.
- Anomalous kernel-mode crashes or bug checks referencing the ProjFS filter driver (PrjFlt.sys).
- Suspicious use of ProjFS APIs by non-development workloads, particularly on servers without Git VFS or similar legitimate consumers.
Detection Strategies
- Monitor for local privilege escalation behaviors: token duplication, SYSTEM-owned processes launched from user-writable paths, and abnormal access to LSASS following user-mode activity.
- Hunt for unsigned or newly introduced binaries that interact with PrjFlt.sys device objects.
- Correlate Windows Error Reporting events tied to the ProjFS driver with subsequent privilege transitions in the same session.
Monitoring Recommendations
- Enable kernel auditing and forward Sysmon process creation, image load, and driver load events to a centralized analytics platform.
- Track installation status of the June 2026 Microsoft security updates across the fleet to identify unpatched hosts.
- Alert on any new device handle opens to \\.\PROJFS or related ProjFS device namespaces from unexpected processes.
How to Mitigate CVE-2026-42837
Immediate Actions Required
- Apply the Microsoft security updates referenced in the Microsoft Security Update Guide for all affected Windows 10, Windows 11, and Windows Server builds.
- Prioritize patching of multi-user systems, jump servers, and developer workstations where local users are most likely to attempt privilege escalation.
- Restrict interactive logon rights to trusted accounts to reduce the population of potential local attackers.
Patch Information
Microsoft has released security updates addressing CVE-2026-42837 across all supported Windows client and server SKUs. Administrators should consult the vendor advisory for the specific KB article matching each operating system build and install it through Windows Update, WSUS, or the Microsoft Update Catalog.
Workarounds
- Where ProjFS is not required, disable the Windows Projected File System optional feature via Disable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS.
- Apply application control policies (such as Windows Defender Application Control) to block untrusted binaries from executing on sensitive hosts until patches are applied.
- Enforce least privilege so that standard users cannot stage exploit binaries in writable locations on critical systems.
# Configuration example: disable the optional ProjFS feature on hosts that do not require it
Disable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart
# Verify patch installation status for a specific KB (replace with the KB from the Microsoft advisory)
Get-HotFix | Where-Object { $_.HotFixID -eq 'KBXXXXXXX' }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
