CVE-2026-41092: Microsoft Kinect Local Privilege Escalation Vulnerability
A flaw in Microsoft Kinect's access control allows someone who already has local user access to a Windows machine to elevate their privileges to a higher level of system access. This is a local-only attack that requires an attacker to have an existing account on the target system; it cannot be exploited remotely. The vulnerability affects multiple versions of Windows 10, Windows 11, and Windows Server platforms.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41092 is an improper access control vulnerability (CWE-284) in Microsoft Kinect with a CVSS 3.1 score of 7.8 (HIGH). The vulnerability resides in the Kinect subsystem and can be exploited by an attacker with local user privileges to gain elevated system access without user interaction. The attack vector is local, requires low complexity, and can compromise confidentiality, integrity, and availability once privileges are escalated. The vulnerability affects Windows 10 (builds 1607, 1809, 21H2, 22H2), Windows 11 (builds 23H2, 24H2, 25H2, 26H1), and Windows Server platforms (2012 through 2025).
Business impact
Organizations running Kinect-enabled systems—common in mixed-reality, conference room setups, and specialized application environments—face localized privilege escalation risk. While the threat requires prior system access, insider threats or compromised user accounts could leverage this flaw to move laterally or gain administrative control. In server environments, this expands the blast radius of any initial compromise. For organizations using Kinect in production, this represents a direct path to system control once a foothold is established.
Affected systems
The vulnerability impacts a wide range of Microsoft platforms: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 builds 23H2, 24H2, 25H2, and 26H1; and Windows Server 2012, 2016, 2019, 2022, and 2025. Any Windows system running Kinect is in scope, though the prevalence of Kinect deployment varies significantly by organization type. Server deployments are less common but present higher-value targets.
Exploitability
Exploitation requires pre-existing local access—an attacker must already have credentials or have compromised a user account on the target system. No user interaction is needed once local access is gained, and exploitation complexity is low. The vulnerability is not currently in the CISA Known Exploited Vulnerabilities catalog, suggesting no active in-the-wild exploitation at publication time. However, the technical simplicity of the flaw and its straightforward privilege escalation path make it an attractive post-compromise technique.
Remediation
Microsoft security updates addressing CVE-2026-41092 have been released. Apply the latest cumulative updates from Microsoft for your respective Windows version to remediate the underlying access control defect. Verify that Kinect drivers and related components are included in the patch. Organizations should prioritize patching systems in high-value or sensitive environments where privilege escalation poses the greatest risk.
Patch guidance
Consult Microsoft's official security bulletins and the patch details released on 2026-06-09 (with updates through 2026-06-17) for the specific KB articles and cumulative update numbers applicable to your Windows version. Test patches in a non-production environment before broad deployment. For Windows Server systems, coordinate patching with change windows to minimize disruption. Verify that Kinect-dependent applications remain functional post-patch.
Detection guidance
Monitor for signs of local privilege escalation on systems running Kinect, including unexpected elevation of user permissions, unexpected SYSTEM-level process spawning, and suspicious access to Kinect driver components. Review Windows event logs for failed access attempts to protected resources, and implement behavioral detection rules for privilege elevation exploits. In network-based detection, look for Kinect service restarts or unusual service state changes that may indicate exploitation attempts. Endpoint Detection and Response (EDR) tools should be configured to flag suspicious privilege escalation patterns on workstations and servers where Kinect is active.
Why prioritize this
This vulnerability merits priority patching in any organization using Kinect hardware, primarily because it enables privilege escalation from an already-compromised user account into system-level access. The high CVSS score (7.8) reflects the severity of impact once exploited. While active exploitation is not yet documented, the low attack complexity and lack of user interaction required post-compromise make it an obvious follow-up move for attackers who gain initial user-level access. Organizations should treat this as part of their standard critical/high patch cycle.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) derives from the low attack complexity, the fact that no user interaction is required post-compromise, and the high impact across confidentiality, integrity, and availability. The local attack vector means it does not threaten unauthenticated remote access, which prevents it from reaching CRITICAL severity. However, in the context of insider threats or lateral movement following a primary compromise, the impact is substantial. Organizations should evaluate their specific Kinect deployment footprint and threat model when determining internal prioritization.
Frequently asked questions
Does this vulnerability require remote access?
No. CVE-2026-41092 is purely local. An attacker must already have user-level access to the target system—either through a valid account, credential theft, or a prior compromise. It cannot be exploited remotely over a network.
What systems are most at risk?
Any Windows 10, Windows 11, or Windows Server system actively running Kinect hardware and drivers. Organizations with mixed-reality workstations, sensor-enabled conference rooms, or specialized applications relying on Kinect should prioritize patch assessment. Server installations are less common but represent higher-value targets.
Can this be exploited by unauthenticated users?
No. The attacker must have local user-level privileges before attempting exploitation. It is a privilege escalation vector, not a remote code execution or initial-access vulnerability.
Has this vulnerability been actively exploited?
As of the publication date, CVE-2026-41092 is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no documented active exploitation in the wild. However, organizations should not assume indefinite safety and should apply patches according to their standard critical/high-priority schedules.
This analysis is based on vulnerability data published as of 2026-06-17. Patch version numbers, vendor advisories, and exploitation status may change; organizations should verify the latest Microsoft security bulletins before deploying patches. This vulnerability requires pre-existing local access and does not enable unauthenticated remote compromise. No exploit code is provided or endorsed. Security teams should test patches in controlled environments and align remediation with organizational change management policies. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11179HIGHChrome ORB Site Isolation Bypass (CVSS 8.8)
- CVE-2026-42829HIGHWindows 11 Administrator Protection Bypass (CVSS 7.8 HIGH)
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11187MEDIUMChrome Navigation Restriction Bypass Vulnerability
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)