Windows Kernel Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-26163Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A double-free memory corruption vulnerability in the Windows Kernel allows a local attacker with user-level credentials to escalate privileges on affected systems. The vulnerability resides in kernel memory management and can be triggered through local code execution.

What this means

What could happen

An attacker with local access to a Windows-based HMI, engineering workstation, or server could escalate to system-level privileges and gain full control of that device, potentially allowing unauthorized modification of process parameters or shutdown of critical operations.

Who's at risk

Water utilities and electric utilities operating Windows-based engineering workstations, human-machine interfaces (HMIs), and supervisory servers should assess their inventory. This affects Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 systems running vulnerable builds. Any Windows device with local user access that interfaces with PLCs, RTUs, or SCADA systems is at risk.

How it could be exploited

An attacker must first gain local code execution on the target system with user-level permissions. Once running on the device, the attacker can trigger the double-free vulnerability in the kernel to escalate to SYSTEM privileges and execute arbitrary commands with full system access.

Prerequisites

Local code execution with non-administrator user credentials
Physical access to the device or ability to log in with valid user account
Windows operating system running a vulnerable build

Low complexity exploitationRequires local code execution firstAffects all major Windows versions and Server editionsAffects systems controlling critical infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8644

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644

Windows Server 2019All versionsBuild 10.0.17763.8644

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and network access to engineering workstations and HMI systems to authorized personnel only

HARDENINGEnforce strong password policies and multi-factor authentication on all Windows systems with access to industrial control networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXInstall the April 2026 Windows security update for your version of Windows (Build 10.0.28000.1836 for Windows 11 v26H1, Build 10.0.17763.8644 for Windows 10 v1809 and Server 2019, Build 10.0.20348.5020 for Server 2022, or equivalent for your installed version)

Long-term hardening

0/1

HARDENINGIsolate Windows-based control systems from general corporate networks using network segmentation or air-gapping where feasible

CVEs (1)

CVE-2026-26163

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cda51f34-149d-44f1-9911-059cf865f16c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.