Windows Kernel Elevation of Privilege Vulnerability

Plan PatchCVSS 7CVE-2026-32195Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Stack-based buffer overflow in Windows Kernel allows an authorized local user to elevate privileges. Affects Windows 11 Version 26H1 on both ARM64 and x64 architectures. Exploitation is assessed as less likely but requires local user-level access to trigger.

What this means

What could happen

A user with local access to a Windows 11 system could exploit a kernel vulnerability to gain administrator-level privileges, potentially allowing them to alter SCADA software settings, disable monitoring, or install persistent malware.

Who's at risk

Windows 11 administrators and operators running Version 26H1 on x64 or ARM64-based systems. This affects industrial PCs, engineering workstations, and any Windows 11 system in your network that has local user accounts, including shared operator terminals and maintenance computers.

How it could be exploited

An attacker must first gain local user-level access to a Windows 11 system (via phishing, USB drive, or compromised credentials). They then exploit a stack buffer overflow in the Windows kernel to escalate to SYSTEM/administrator privileges, gaining full control of the machine.

Prerequisites

Local user account on Windows 11 Version 26H1 system (x64 or ARM64)
Ability to execute code with user privileges

local privilege escalationrequires local accessaffects operator workstations

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1836

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXInstall Windows 11 2026-Apr security update to build 10.0.28000.1836 or later

CVEs (1)

CVE-2026-32195

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e6643ced-a17a-447f-b551-72fbb7026eb0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.