Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45653

CVE-2026-45653: Windows Kernel Privilege Escalation Flaw

CVE-2026-45653 is a use-after-free vulnerability in Windows Kernel that enables authorized attackers to escalate privileges locally. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-45653 Overview

CVE-2026-45653 is a use-after-free vulnerability in the Windows Kernel. An authorized local attacker can exploit the flaw to elevate privileges on an affected system. The weakness is tracked under CWE-122, which covers heap-based memory corruption.

Microsoft published the advisory through the Microsoft Security Response Center (MSRC). Successful exploitation grants the attacker higher integrity execution, enabling kernel-level code execution from a low-privileged account. The attack complexity is high, requiring precise control over kernel memory allocation and timing.

Critical Impact

Local attackers with valid credentials can leverage a freed kernel object to gain SYSTEM-level privileges and bypass user-mode security controls.

Affected Products

  • Microsoft Windows Kernel (specific builds enumerated in the MSRC advisory)
  • Refer to the Microsoft Security Update Guide for the complete list of affected SKUs
  • No third-party products are identified in the NVD record

Discovery Timeline

  • 2026-06-09 - CVE-2026-45653 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-45653

Vulnerability Analysis

The vulnerability is a use-after-free condition in the Windows Kernel. Use-after-free occurs when code continues to reference a heap object after the allocator has released it. An attacker who reclaims that freed memory with controlled data can hijack subsequent kernel operations that dereference the stale pointer.

The NVD entry categorizes the flaw under [CWE-122] (Heap-Based Buffer Overflow), reflecting heap memory corruption tied to the freed allocation. Exploitation requires local access and low privileges, but no user interaction. Confidentiality, integrity, and availability are all impacted at the high level once the attacker corrupts kernel state.

Root Cause

The root cause is improper lifetime management of a kernel heap object. A code path frees the allocation without invalidating remaining references, allowing later code to operate on dangling memory. Attackers spray the kernel pool to place attacker-controlled data into the reclaimed slot.

Attack Vector

The attack is local. An authenticated user runs a crafted program that triggers the vulnerable kernel code path, races to reclaim the freed object, and forces the kernel to use the corrupted structure. The exploit chain typically pivots through a function pointer or object header field to redirect kernel execution. EPSS data lists the exploitation probability at 0.055% (17.473 percentile), and no public exploit is currently tracked.

No public proof-of-concept code is available. Technical specifics are restricted to the Microsoft Security Update Guide entry for this CVE.

Detection Methods for CVE-2026-45653

Indicators of Compromise

  • Unexpected kernel bugchecks referencing pool corruption or stale pointer dereference on patched-but-attacked systems
  • New SYSTEM-level processes spawned from low-privileged user sessions without a corresponding service or scheduled task
  • Unsigned or anomalous drivers loaded shortly before privilege transitions in the same session

Detection Strategies

  • Monitor for local processes that issue rapid sequences of kernel object allocation and free system calls consistent with pool grooming
  • Correlate token elevation events (Windows Event ID 4672) issued to user accounts that should not hold administrative rights
  • Hunt for child processes inheriting SYSTEM tokens from parents launched in interactive user sessions

Monitoring Recommendations

  • Enable kernel-mode telemetry and ETW providers covering process token changes and driver load events
  • Centralize endpoint telemetry into a SIEM with retention long enough to investigate post-compromise pivots
  • Alert on integrity-level transitions from Medium to System within a single process tree

How to Mitigate CVE-2026-45653

Immediate Actions Required

  • Apply the Microsoft security update referenced in the MSRC advisory to all affected Windows systems
  • Prioritize patching on multi-user systems, jump hosts, and developer workstations where local accounts are common
  • Audit local account inventories and remove unnecessary interactive logon rights

Patch Information

Microsoft has released a security update through the standard Patch Tuesday channel. Administrators should deploy the relevant cumulative update via Windows Update, Windows Server Update Services (WSUS), or Microsoft Configuration Manager. Verify installation by checking the build number against the fixed version listed in the Microsoft Security Update Guide.

Workarounds

  • No official workaround is published by Microsoft; patching is the supported remediation
  • Restrict local logon and remote interactive logon to trusted administrative accounts until updates are deployed
  • Enforce application allowlisting to block unsigned binaries from executing in user contexts
bash
# Verify the installed Windows update on a host
wmic qfe list brief /format:table

# Or, using PowerShell, list recent hotfixes
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.