Windows Kernel Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-35420May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A heap-based buffer overflow in the Windows Kernel allows an authorized attacker with local user privileges to elevate to SYSTEM level access. This affects Windows Server 2016, 2019, 2022, and 2025 in all deployment modes (full and Server Core installations).

What this means

What could happen

An attacker with local access to a Windows Server could exploit this kernel vulnerability to gain system-level privileges, potentially allowing them to modify control logic, alter process parameters, or disable safety interlocks on connected industrial equipment.

Who's at risk

Windows Server administrators and operators at utilities, water authorities, and industrial facilities that run control systems, data acquisition servers, or historian platforms on Windows Server 2016, 2019, 2022, or 2025. Any server with local user access that connects to or manages programmable logic controllers (PLCs), human-machine interfaces (HMIs), or distributed control systems (DCS) is at risk.

How it could be exploited

An attacker must first gain local access to a Windows Server (e.g., as a standard user or service account) and then trigger a heap buffer overflow in the kernel to escalate privileges to SYSTEM level. Once elevated, they could execute arbitrary code with full control over the server and any connected OT devices or sensors.

Prerequisites

Local user account with standard privileges on the affected Windows Server
Access to the vulnerable kernel code path (requires local logon)
Ability to execute code on the server

Requires local user privilegesKernel-level access enables complete system compromiseAffects all recent Windows Server versionsLow attack complexity once local access is obtained

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5139

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32860

Windows Server 2022, 23H2 Edition (Server Core installation)All versionsBuild 10.0.25398.2330

Windows Server 2025All versionsBuild 10.0.26100.32860

Windows Server 2016All versionsBuild 10.0.14393.9140

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGRestrict local logon access to Windows Servers to only trusted operator and engineering accounts; remove unnecessary local user accounts

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Windows Server 2019

HOTFIXApply Windows Server 2019 kernel update to Build 10.0.17763.8755 or later

Windows Server 2022

HOTFIXApply Windows Server 2022 kernel update to Build 10.0.20348.5139 or later

Windows Server 2025

HOTFIXApply Windows Server 2025 kernel update to Build 10.0.26100.32860 or later

Windows Server 2016

HOTFIXApply Windows Server 2016 kernel update to Build 10.0.14393.9140 or later

Long-term hardening

0/1

HARDENINGImplement endpoint privilege management or Application Whitelisting to limit unauthorized code execution on servers running OT systems

CVEs (1)

CVE-2026-35420

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dc63f2d7-4208-4b21-9cdc-021363f65b3b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.