CVE-2026-45653 Overview
CVE-2026-45653 is a use-after-free vulnerability in the Windows Kernel. An authorized local attacker can exploit the flaw to elevate privileges on an affected system. The weakness is tracked under CWE-122, which covers heap-based memory corruption.
Microsoft published the advisory through the Microsoft Security Response Center (MSRC). Successful exploitation grants the attacker higher integrity execution, enabling kernel-level code execution from a low-privileged account. The attack complexity is high, requiring precise control over kernel memory allocation and timing.
Critical Impact
Local attackers with valid credentials can leverage a freed kernel object to gain SYSTEM-level privileges and bypass user-mode security controls.
Affected Products
- Microsoft Windows Kernel (specific builds enumerated in the MSRC advisory)
- Refer to the Microsoft Security Update Guide for the complete list of affected SKUs
- No third-party products are identified in the NVD record
Discovery Timeline
- 2026-06-09 - CVE-2026-45653 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-45653
Vulnerability Analysis
The vulnerability is a use-after-free condition in the Windows Kernel. Use-after-free occurs when code continues to reference a heap object after the allocator has released it. An attacker who reclaims that freed memory with controlled data can hijack subsequent kernel operations that dereference the stale pointer.
The NVD entry categorizes the flaw under [CWE-122] (Heap-Based Buffer Overflow), reflecting heap memory corruption tied to the freed allocation. Exploitation requires local access and low privileges, but no user interaction. Confidentiality, integrity, and availability are all impacted at the high level once the attacker corrupts kernel state.
Root Cause
The root cause is improper lifetime management of a kernel heap object. A code path frees the allocation without invalidating remaining references, allowing later code to operate on dangling memory. Attackers spray the kernel pool to place attacker-controlled data into the reclaimed slot.
Attack Vector
The attack is local. An authenticated user runs a crafted program that triggers the vulnerable kernel code path, races to reclaim the freed object, and forces the kernel to use the corrupted structure. The exploit chain typically pivots through a function pointer or object header field to redirect kernel execution. EPSS data lists the exploitation probability at 0.055% (17.473 percentile), and no public exploit is currently tracked.
No public proof-of-concept code is available. Technical specifics are restricted to the Microsoft Security Update Guide entry for this CVE.
Detection Methods for CVE-2026-45653
Indicators of Compromise
- Unexpected kernel bugchecks referencing pool corruption or stale pointer dereference on patched-but-attacked systems
- New SYSTEM-level processes spawned from low-privileged user sessions without a corresponding service or scheduled task
- Unsigned or anomalous drivers loaded shortly before privilege transitions in the same session
Detection Strategies
- Monitor for local processes that issue rapid sequences of kernel object allocation and free system calls consistent with pool grooming
- Correlate token elevation events (Windows Event ID 4672) issued to user accounts that should not hold administrative rights
- Hunt for child processes inheriting SYSTEM tokens from parents launched in interactive user sessions
Monitoring Recommendations
- Enable kernel-mode telemetry and ETW providers covering process token changes and driver load events
- Centralize endpoint telemetry into a SIEM with retention long enough to investigate post-compromise pivots
- Alert on integrity-level transitions from Medium to System within a single process tree
How to Mitigate CVE-2026-45653
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory to all affected Windows systems
- Prioritize patching on multi-user systems, jump hosts, and developer workstations where local accounts are common
- Audit local account inventories and remove unnecessary interactive logon rights
Patch Information
Microsoft has released a security update through the standard Patch Tuesday channel. Administrators should deploy the relevant cumulative update via Windows Update, Windows Server Update Services (WSUS), or Microsoft Configuration Manager. Verify installation by checking the build number against the fixed version listed in the Microsoft Security Update Guide.
Workarounds
- No official workaround is published by Microsoft; patching is the supported remediation
- Restrict local logon and remote interactive logon to trusted administrative accounts until updates are deployed
- Enforce application allowlisting to block unsigned binaries from executing in user contexts
# Verify the installed Windows update on a host
wmic qfe list brief /format:table
# Or, using PowerShell, list recent hotfixes
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

