OTPulse

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-45600Jun 9, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A type confusion vulnerability in Windows Kernel-Mode Drivers allows an authorized local user to escalate privileges to administrative level. The flaw affects Windows Server 2025 and Windows 11 across multiple versions (24H2, 25H2, 26H1) and both x64 and ARM64 architectures. Exploitation is assessed as unlikely, but a security update is available from Microsoft.

What this means
What could happen
A local user with standard privileges could exploit a flaw in Windows kernel drivers to gain administrative access, potentially allowing unauthorized configuration changes or operational system compromise on any Windows Server or Windows 11 system running the affected builds.
Who's at risk
Windows Server 2025 and Windows 11 (all recent versions and architectures) operators should prioritize patching. This affects any organization running these systems as domain controllers, industrial control servers, historian systems, or network-connected workstations in OT environments.
How it could be exploited
An attacker with a local user account on a Windows Server or Windows 11 system could trigger a type confusion vulnerability in a kernel-mode driver by sending a specially crafted request. This would allow the attacker to execute code with kernel-level privileges, effectively bypassing the privilege boundary that normally protects system operations.
Prerequisites
  • Local user account on the affected Windows system
  • Ability to interact with the vulnerable kernel-mode driver interface
low complexity privilege escalationlocally exploitableaffects core operating systemrequires valid user credentials
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32995
Windows 11 Version 25H2 for ARM64-based SystemsAll versionsBuild 10.0.26200.8655
Windows 11 Version 25H2 for x64-based SystemsAll versionsBuild 10.0.26200.8655
Windows 11 Version 24H2 for ARM64-based SystemsAll versionsBuild 10.0.26100.8655
Windows 11 Version 24H2 for x64-based SystemsAll versionsBuild 10.0.26100.8655
Windows Server 2025All versionsBuild 10.0.26100.32995
Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.2269
Windows 11 Version 26H1 for x64-based Systems - extraAll versionsBuild 10.0.28000.2269
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

Windows Server 2025
HOTFIXApply the June 2026 Windows security update to all affected Windows Server 2025 and Windows 11 systems
Long-term hardening
0/2
HARDENINGRestrict local logon access to Windows systems to authorized personnel only, using Group Policy or Local Security Policy
HARDENINGEnforce strong password policies and multi-factor authentication for local administrative accounts
View full vendor advisory
API: /api/v1/advisories/ea8e345f-3067-4cff-99cc-64eb91ea07db

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.