Windows Kernel Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-26179Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A double-free vulnerability in the Windows kernel allows an authorized user with a valid local account to escalate privileges to system/administrator level. The flaw is in kernel memory management and can be triggered by unprivileged user-mode code. Exploitation requires local access only; no network access is needed. Microsoft has released patches for Windows Server 2022, Windows Server 2025, and Windows 11 (versions 23H2, 24H2, 25H2, and 26H1) across ARM64 and x64 architectures.

What this means

What could happen

A user with legitimate access to a Windows system could exploit a kernel flaw to gain administrator-level privileges, allowing them to modify or disable software controls on industrial equipment, access sensitive system data, or persist malicious access across system reboots.

Who's at risk

Windows Server systems (2022, 2025) and Windows 11 workstations (all recent versions including 23H2, 24H2, 25H2, and 26H1 on ARM64 and x64 architectures). This affects both standard and Server Core installations. If any of your engineering workstations, HMI computers, or edge systems run Windows 11 or Windows Server 2022/2025, they are in scope.

How it could be exploited

An attacker with a standard user account on Windows Server 2025, Windows 11 (any recent version), or Windows Server 2022 could trigger a double-free condition in the Windows kernel to execute code with system privileges. This requires local access and an existing user account but no additional authentication.

Prerequisites

Local user account access on the affected Windows system
No special privileges required at exploitation time (standard user account sufficient)
Ability to execute code on the system (e.g., via script, application, or command prompt)

Low complexity exploitationLocal access only (limits but does not eliminate risk)Affects many Windows versions and architecturesPatches available from vendor

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32690

Windows 11 Version 25H2 for ARM systemsAll versionsBuild 10.0.26200.8246

Windows 11 Version 25H2 for x64-based SystemsAll versionsBuild 10.0.26200.8246

Windows 11 Version 23H2 for ARM64-based SystemsAll versionsBuild 10.0.22631.6936

Windows 11 Version 23H2 for x64-based SystemsAll versionsBuild 10.0.22631.6936

Windows Server 2022, 23H2 Edition (Server Core installation)All versionsBuild 10.0.25398.2274

Windows 11 Version 24H2 for ARM64-based SystemsAll versionsBuild 10.0.26100.32690

Windows 11 Version 24H2 for x64-based SystemsAll versionsBuild 10.0.26100.32690

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict local console and RDP access to trusted administrators only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply the 2026-Apr Windows security update (or later) to all affected systems

HARDENINGRemove unnecessary local user accounts and disable guest accounts

Long-term hardening

0/1

HARDENINGImplement application whitelisting to prevent unauthorized code execution by standard users

CVEs (1)

CVE-2026-26179

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5dcb4e1d-7bae-451c-87ce-ab36d689ab3c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.