Windows Kernel Elevation of Privilege Vulnerability

Plan Patch7.8CVE-2026-24289Mar 10, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Use after free vulnerability in Windows Kernel allows an authorized local attacker to elevate privileges. The vulnerability exists in Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2016, 2019, 2022, 2025, and their Server Core installations across 32-bit, x64, and ARM64 architectures.

What this means

What could happen

A user with local access to a Windows system could exploit this vulnerability to gain administrative privileges, allowing them to modify system settings, install malware, or access sensitive data. For utilities running SCADA, HMI, or engineering workstations on Windows, this could allow an attacker to take control of the device and alter operational parameters or shut down critical processes.

Who's at risk

This affects IT and OT staff at water utilities and municipal electric utilities who use Windows systems for SCADA/HMI operations, engineering workstations, supervisory servers, and data acquisition systems. Particular concern for organizations running Windows 10 or Windows Server 2016/2019 on critical operational equipment without active patching schedules.

How it could be exploited

An attacker with an account on the target Windows system (such as a domain user, remote desktop user, or shared workstation account) could execute code that triggers the use-after-free condition in the kernel, causing it to execute attacker-controlled code with elevated privileges. No user interaction or network access is required once the attacker has local system access.

Prerequisites

Local user account on the affected Windows system
Ability to execute code on the system (e.g., local console access, RDP session, or compromised user account)
No special privileges or credentials required beyond standard user account

No network access required (local only)Requires valid user accountAffects multiple Windows versions and architecturesImpacts administrative privilege escalationExploitation assessed as 'More Likely' by vendor

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1607 for 32-bit SystemsAll versionsBuild 10.0.14393.8957

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1719

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1719

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8511

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8511

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict local console and Remote Desktop access to Windows systems to authorized users only; disable Remote Desktop on systems that do not require it

WORKAROUNDDisable or restrict remote access protocols (RDP, SSH) on operational technology workstations and servers using firewall rules or network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply Microsoft's March 2026 security update to all affected Windows systems

HARDENINGImplement multi-factor authentication for remote access and privileged accounts to reduce risk from compromised credentials

Long-term hardening

0/1

HARDENINGSegment engineering workstations and SCADA servers from general corporate networks to limit lateral movement if a Windows system is compromised

CVEs (1)

CVE-2026-24289

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/144457c7-a477-46e1-a0c4-dffb02405e33

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.