Windows NTFS Remote Code Execution Vulnerability

Plan PatchCVSS 7.8CVE-2026-45636Jun 9, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A heap-based buffer overflow vulnerability in Windows NTFS allows a local attacker to execute arbitrary code with system privileges. The vulnerability is triggered when a privileged process accesses a specially crafted file. All versions of Windows Server 2016, 2019, 2022, 2025, Windows 10, and Windows 11 are affected. Exploitation requires local user access and user interaction; remote exploitation is not possible.

What this means

What could happen

A local attacker with user access could run arbitrary code on your Windows server or workstation with full system privileges by exploiting an NTFS buffer overflow, potentially compromising plant control systems or critical data.

Who's at risk

Water and utility operators running Windows Server 2016, 2019, 2022, or 2025 (on premises or as HMI/SCADA support systems), and Windows 10/11 workstations used for engineering, monitoring, or administrative tasks. Particularly critical if these systems directly interface with PLCs, RTUs, or process control networks.

How it could be exploited

An attacker with local user access prepares a specially crafted file on the NTFS filesystem. When a privileged process or administrator accesses or processes this file, the heap buffer overflow triggers, allowing code execution at system level.

Prerequisites

Local user account on the affected Windows system
User interaction required (an administrator or privileged process must access the malicious file)

Local attacker with user credentialsRequires user interactionAffects all currently supported Windows versionsHigh CVSS (7.8)

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (26)

26 with fix

ProductAffected VersionsFix Status

Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5256

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8880

Windows 10 Version 21H2 for 32-bit SystemsAll versionsBuild 10.0.19044.7417

Windows 10 Version 21H2 for ARM64-based SystemsAll versionsBuild 10.0.19044.7417

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8880

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2022

HOTFIXApply Microsoft June 2026 security update to Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2025, Windows 10 (all versions and architectures), and Windows 11 (all versions and architectures)

Long-term hardening

0/2

HARDENINGRestrict local user access on Windows servers and workstations to the minimum required for operational roles

HARDENINGImplement file integrity monitoring on NTFS filesystems to detect suspicious file modifications that could indicate exploitation attempts

CVEs (1)

CVE-2026-45636

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4e013703-00e1-45c5-9d8d-9268adc48c73

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.