Windows Kernel Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-40369May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

An untrusted pointer dereference vulnerability in the Windows Kernel allows an authorized local user to elevate their privileges. The vulnerability affects Windows Server 2025 (all versions and Server Core installation) and Windows 11 versions 24H2, 25H2, and 26H1 on both x64 and ARM64 systems. Microsoft has released patches in the 2026-May security update.

What this means

What could happen

A user with legitimate access to a Windows Server or workstation could elevate their privileges to administrator level, allowing them to install backdoors, modify critical configurations, or disrupt operations.

Who's at risk

Windows Server 2025 (including Server Core) and Windows 11 systems (versions 24H2, 25H2, and 26H1 on both x64 and ARM64 architectures). Any organization running these operating systems on servers, engineering workstations, or HMI systems should apply this update.

How it could be exploited

An attacker with a valid local user account on a Windows Server or workstation exploits an untrusted pointer dereference in the kernel to escalate privileges from their current user context to SYSTEM level, gaining full control of the machine.

Prerequisites

Valid local user account on the affected Windows system
Local access or remote access via RDP/SSH with user credentials

Low complexity exploitationHigh CVSS score (7.8)Requires user credentials but low barrier to entry for insider threatsAffects authentication and authorization controls

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32860

Windows 11 Version 25H2 for x64-based SystemsAll versionsBuild 10.0.26200.8457

Windows 11 Version 25H2 for ARM64-based SystemsAll versionsBuild 10.0.26200.8457

Windows 11 Version 24H2 for x64-based SystemsAll versionsBuild 10.0.26100.8457

Windows Server 2025All versionsBuild 10.0.26100.32860

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.2113

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.2113

Windows 11 Version 24H2 for ARM64-based SystemsAll versionsBuild 10.0.26100.8457

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2025

HOTFIXApply the 2026-May security update to all affected Windows Server 2025 and Windows 11 systems

Long-term hardening

0/2

HARDENINGRestrict local admin account creation and enforce strong password policies for all local users

HARDENINGEnable Windows Defender Application Guard or equivalent sandboxing on workstations to limit privilege escalation impact

CVEs (1)

CVE-2026-40369

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/506be1c4-2cb6-4a70-9a23-e60087027302

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.