Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45586

CVE-2026-45586: Windows 10 1607 Privilege Escalation Flaw

CVE-2026-45586 is a privilege escalation vulnerability in Windows 10 1607 Collaborative Translation Framework. Attackers can exploit improper link resolution to gain elevated privileges locally on affected systems.

Published:

CVE-2026-45586 Overview

CVE-2026-45586 is a local privilege escalation vulnerability in the Windows Collaborative Translation Framework. The flaw stems from improper link resolution before file access ([CWE-59]), commonly referred to as a link following or symbolic link vulnerability. An authorized attacker with low privileges on an affected Windows host can abuse this weakness to gain higher privileges on the local system. Microsoft published the advisory on 2026-06-09, and the issue affects a broad range of Windows client and server releases, including Windows 10, Windows 11 through 26h1, and Windows Server 2012 through 2025.

Critical Impact

A locally authenticated attacker can elevate privileges to a higher security context on the host, undermining confidentiality, integrity, and availability of the operating system.

Affected Products

  • Microsoft Windows 10 (1607, 1809, 21h2, 22h2)
  • Microsoft Windows 11 (23h2, 24h2, 25h2, 26h1)
  • Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025

Discovery Timeline

  • 2026-06-09 - CVE-2026-45586 published to NVD
  • 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-45586

Vulnerability Analysis

The Windows Collaborative Translation Framework is a system component used to support translation and language services across Windows. The vulnerability arises when the framework accesses files without correctly resolving filesystem links prior to operating on the target path. An attacker who already has local, low-privileged access can plant a crafted symbolic link or junction that redirects a privileged file operation to an attacker-controlled location.

This class of flaw is tracked as [CWE-59] Improper Link Resolution Before File Access. Successful exploitation lets the attacker influence file create, delete, or write operations executed by a higher-privileged process. The outcome is local elevation of privilege on the affected host. The CVSS vector indicates the attack requires local access, low complexity, low privileges, and no user interaction, with high impact to confidentiality, integrity, and availability.

Root Cause

The root cause is the framework following filesystem links during privileged file operations without validating that the resolved target is safe. Because the privileged process opens or modifies the link target rather than the intended path, an attacker who controls the directory or link can redirect the operation to a sensitive file owned by SYSTEM.

Attack Vector

Exploitation requires local code execution as a standard user. The attacker prepares a directory or file the privileged service interacts with, replaces it with a symbolic link, junction, or hard link pointing to a protected resource, and then triggers the framework operation. The privileged write or delete then occurs against the attacker-chosen target, leading to privilege escalation.

No public proof-of-concept exploit is currently listed for CVE-2026-45586, and the issue is not on the CISA Known Exploited Vulnerabilities catalog. See the Microsoft Security Update Guide entry for CVE-2026-45586 for vendor-specific technical context.

Detection Methods for CVE-2026-45586

Indicators of Compromise

  • Creation of symbolic links, NTFS junctions, or hard links in user-writable paths that target system locations such as C:\Windows\System32 or C:\ProgramData.
  • Unexpected file writes or deletions in protected directories performed by Collaborative Translation Framework processes.
  • Standard user accounts spawning processes or loading modules with SYSTEM integrity shortly after interacting with translation-related components.

Detection Strategies

  • Monitor Windows Sysmon Event ID 11 (FileCreate) and Event ID 1 (process create) for link creation by non-administrative users followed by privileged file operations on the resolved target.
  • Hunt for CreateSymbolicLink, mklink /J, and SetReparsePoint activity originating from low-privileged user sessions in directories used by Windows language and translation services.
  • Correlate file integrity changes in System32 or service binaries with preceding reparse point creation events to surface link-following abuse.

Monitoring Recommendations

  • Enable object access auditing on directories used by Windows translation and accessibility components and forward events to a centralized analytics platform.
  • Track integrity-level transitions where processes started as Medium integrity produce child processes running as High or SYSTEM integrity.
  • Alert on new reparse points created in user-writable directories that resolve to paths under %SystemRoot%.

How to Mitigate CVE-2026-45586

Immediate Actions Required

  • Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-45586 to all affected Windows 10, Windows 11, and Windows Server hosts.
  • Inventory endpoints and servers running affected builds, prioritizing multi-user systems, terminal servers, and developer workstations where local accounts are common.
  • Restrict the ability of standard users to create symbolic links by reviewing the SeCreateSymbolicLinkPrivilege assignment in Group Policy.

Patch Information

Microsoft has released fixes through the Windows Update channel for all supported affected versions. Refer to the Microsoft Security Update Guide for CVE-2026-45586 for the specific KB articles per Windows build. Deploy these updates through Windows Update, WSUS, Microsoft Intune, or Configuration Manager according to your patch management process.

Workarounds

  • Limit interactive and remote logon rights so that only trusted users can obtain local sessions on affected hosts, reducing the population of attackers that meet the local access requirement.
  • Remove the Create symbolic links user right from standard users where business requirements allow, enforced through Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  • Apply application control policies such as Windows Defender Application Control or AppLocker to block unauthorized binaries that could be used to trigger the vulnerable code path.
bash
# Configuration example: audit and restrict symbolic link creation via Group Policy
# Open: gpedit.msc
# Navigate: Computer Configuration > Windows Settings > Security Settings >
#           Local Policies > User Rights Assignment > Create symbolic links
# Remove standard user groups; retain Administrators only.

# Enable auditing of file system object access
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne