CVE-2026-45636 Overview
CVE-2026-45636 is a heap-based buffer overflow vulnerability in the Windows New Technology File System (NTFS). The flaw allows an unauthorized local attacker to execute arbitrary code on an affected system. Successful exploitation requires user interaction, such as opening or mounting a crafted file or volume. The vulnerability is classified under [CWE-20] Improper Input Validation, indicating that NTFS does not correctly validate input data before processing it on the heap.
Critical Impact
Local code execution through a crafted NTFS structure that triggers a heap buffer overflow, leading to full compromise of confidentiality, integrity, and availability on the affected host.
Affected Products
- Microsoft Windows (NTFS driver) — see Microsoft Security Update CVE-2026-45636 for the complete list of affected builds
- Windows Server editions exposing the NTFS file system driver
- Windows client editions that mount NTFS volumes
Discovery Timeline
- 2026-06-09 - CVE-2026-45636 published to the National Vulnerability Database (NVD)
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-45636
Vulnerability Analysis
The vulnerability resides in the NTFS driver's handling of file system metadata. When NTFS parses a malformed on-disk structure, it writes beyond the bounds of a heap-allocated buffer. This memory corruption can be shaped to overwrite adjacent kernel objects and redirect execution flow. An attacker who controls the layout of a crafted NTFS volume or file can leverage the overflow to execute code in the security context of the process that parses the structure.
Exploitation requires local access and user interaction. Typical triggers include mounting an attacker-supplied removable drive, opening a crafted virtual hard disk (VHD or VHDX), or processing a malicious file from an externally provided volume. No prior privileges are required from the attacker before the user action occurs.
Root Cause
The root cause is improper input validation [CWE-20] of NTFS metadata fields used to size or index a heap allocation. When the driver trusts attacker-controlled length or offset values, subsequent copy operations write past the allocated chunk boundary. This corrupts heap metadata and adjacent allocations within the kernel pool.
Attack Vector
The attack vector is local with required user interaction. An attacker delivers a crafted NTFS image (for example, a USB device, ISO, VHD, or VHDX) and convinces a user to mount or open it. Parsing the malformed structure triggers the heap overflow within the NTFS driver, enabling local code execution.
No verified proof-of-concept code is publicly available at this time. Refer to the Microsoft Security Update CVE-2026-45636 advisory for authoritative technical details.
Detection Methods for CVE-2026-45636
Indicators of Compromise
- Unexpected mounting of removable media, ISO, VHD, or VHDX files immediately followed by NTFS driver errors or system instability
- Kernel crash dumps referencing the ntfs.sys driver with heap corruption signatures such as BAD_POOL_HEADER or KERNEL_MODE_HEAP_CORRUPTION
- New or unsigned processes spawned shortly after a user opens an external storage device or disk image
Detection Strategies
- Monitor Windows event logs for repeated NTFS file system errors (Event IDs 55, 98, 137) correlated with disk image mount operations
- Inspect process creation telemetry for elevated child processes that follow explorer.exe or mmc.exe disk-mount activity
- Hunt for the use of Mount-DiskImage, Mount-VHD, or PowerShell cmdlets executed from non-administrative user sessions
Monitoring Recommendations
- Enable kernel pool tracking and Driver Verifier on high-value systems to surface heap corruption originating in ntfs.sys
- Forward Windows Security, System, and Sysmon logs to a centralized analytics platform for cross-host correlation of mount-then-crash patterns
- Alert on USB mass storage insertion combined with subsequent system crash within a short time window
How to Mitigate CVE-2026-45636
Immediate Actions Required
- Apply the security updates referenced in the Microsoft Security Update CVE-2026-45636 advisory across all Windows systems
- Inventory endpoints and servers that handle removable media or external disk images and prioritize them for patching
- Restrict the ability of standard users to mount untrusted removable media or virtual disk files
Patch Information
Microsoft has issued an official update through the Microsoft Security Response Center. Administrators should deploy the patch via Windows Update, Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager. Validate that the NTFS driver ntfs.sys version matches the patched build documented in the advisory.
Workarounds
- Block insertion of unauthorized USB mass storage devices through Group Policy or device control solutions
- Disable automatic mounting of ISO, VHD, and VHDX files via shell handler restrictions until patches are deployed
- Require administrative privileges for mounting disk images and removable volumes on shared or sensitive systems
# Disable automatic ISO/VHD mount handlers (run as Administrator)
reg add "HKCR\Windows.IsoFile\shell\mount" /v LegacyDisable /t REG_SZ /d "" /f
reg add "HKCR\Windows.VhdFile\shell\mount" /v LegacyDisable /t REG_SZ /d "" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
