CVE-2026-42828: Windows Projected File System Filter Driver Privilege Escalation Vulnerability
A flaw in Windows' Projected File System Filter Driver can allow an authorized user to gain elevated privileges on a local machine. The vulnerability stems from the driver reading beyond intended buffer boundaries, which an attacker with standard user permissions can exploit to escalate to higher privilege levels. This is a local-only issue—an attacker must already have login access to the system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-126
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42828 is a buffer over-read vulnerability (CWE-126) in the Windows Projected File System Filter Driver. The driver fails to properly validate buffer boundaries during a read operation, allowing a low-privileged local process to cause out-of-bounds memory access. By crafting specific input or triggering specific conditions through the filter driver's interface, an authenticated attacker can read kernel memory and leverage the information disclosure to bypass address space layout randomization (ASLR) or directly escalate privileges. The CVSS 3.1 score of 7.8 (HIGH) reflects the local attack vector, low complexity, and requirement for prior authentication, but also the high impact across confidentiality, integrity, and availability once exploited.
Business impact
Privilege escalation on Windows endpoints poses a significant operational risk. An employee or contractor with standard user access could elevate to SYSTEM or administrator, potentially granting them the ability to install malware, access sensitive data across all user profiles, disable security tools, or pivot to network resources. For organizations running Windows 10 or 11 across large estates, or those relying on Windows Server 2019/2022/2025 for critical services, this creates an avenue for internal threat actors or compromised accounts to move laterally or achieve persistent administrative control without requiring initial high-privilege access.
Affected systems
The vulnerability affects multiple Windows 10 versions (1809, 21H2, 22H2), all supported Windows 11 versions (23H2, 24H2, 25H2, 26H1), and Windows Server 2019, 2022, and 2025. Organizations running any of these versions in production are potentially impacted. The broad version coverage underscores the need for systematic patching across diverse deployment scenarios—from single-user endpoints to large server deployments.
Exploitability
Exploitation requires local access and standard user privileges; no network interaction is needed. The attack complexity is low, meaning a functional exploit does not require unusual conditions or user interaction. However, the requirement for prior authentication (even at user level) means this is not a worm-like or mass-exploitation risk. The absence of known public exploits at publication and KEV non-inclusion suggests limited active exploitation in the wild, but security teams should assume proof-of-concept code or weaponized variants will emerge as patching timelines extend. Insider threats or compromised user accounts remain the primary concern.
Remediation
Apply Microsoft security patches released on or after the published date (June 9, 2026). Consult the official Microsoft Security Updates portal or your organization's patch management system for the specific update versions corresponding to each Windows version in your inventory. Prioritize Windows Server systems and high-sensitivity endpoints. For environments where immediate patching is not feasible, consider restricting user account creation and privilege assignment to minimize the pool of potential attackers; however, this is a temporary mitigant only and does not eliminate the underlying risk.
Patch guidance
Verify the specific KB or patch number for your Windows version directly from Microsoft's official advisory or security update portal. Organizations should follow their standard change management process: test patches in a representative lab environment before broad deployment, plan for potential reboots, and validate that security monitoring and business-critical applications remain functional post-patch. Stagger deployment across non-production, then production infrastructure to minimize business disruption. Prioritize systems in your environment that are most likely targets for privilege escalation (shared servers, systems used by contractors, endpoints in high-risk departments).
Detection guidance
Monitor for unusual process creation with privilege escalation patterns, particularly processes spawning from standard user accounts with SYSTEM or administrator tokens. Kernel memory access patterns and attempts to interact with the Projected File System Filter Driver via its I/O control interfaces should be logged and reviewed. Enable Process Monitoring and Process Injection detection in your endpoint detection and response (EDR) or Microsoft Defender for Endpoint. Look for failed and successful privilege escalation attempts in Windows Security event logs (Event ID 4688 for process creation with elevated tokens). Behavioral analytics looking for lateral movement after local privilege escalation are also valuable.
Why prioritize this
This vulnerability merits HIGH priority because it enables local privilege escalation across a broad range of Windows versions, affecting both client and server operating systems. While it requires prior authentication, the low complexity of exploitation and the ubiquity of Windows in enterprise environments mean that patching delays increase organizational risk. Server systems should be prioritized; client endpoints should follow within standard patch cycles. The absence of KEV status should not lower urgency—it reflects current exploitation data, not the severity or long-term risk.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects the HIGH severity baseline: local attack vector (cannot be exploited remotely), low attack complexity (no special conditions required), requirement for low privileges (standard user authentication), and high impact across all three security pillars (confidentiality, integrity, availability). The lack of user interaction requirement and the narrow scope (single system, not multi-system impact) slightly temper what could otherwise be a critical score. In your risk model, consider organizational context: systems exposed to untrusted user populations warrant higher internal risk scores than isolated or tightly controlled environments.
Frequently asked questions
Do we need to patch Windows Server immediately?
Yes. Windows Server systems running SQL Server, file shares, or other critical services should be patched on a priority basis, as privilege escalation on a server can compromise the entire system and its data. Follow your change management process to test and deploy patches as quickly as safely possible.
Can this vulnerability be exploited remotely?
No. The vulnerability requires local access and valid user credentials. Remote attackers cannot directly exploit this flaw. However, if an attacker gains user-level access through phishing, credential compromise, or another vector, they could then exploit this vulnerability to escalate to administrator or SYSTEM privileges.
What should we do if we cannot patch immediately?
Implement compensating controls: enforce strong access controls to limit user account creation, disable unnecessary services or drivers if the Projected File System is not in use, monitor for suspicious privilege escalation attempts, and restrict local login access to only necessary users. These are temporary measures only—patching remains the primary remediation.
Is this vulnerability being actively exploited?
As of the published date, the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread active exploitation at that time. However, organizations should not assume this will remain the case indefinitely. Patch according to your risk-based patch schedule, prioritizing critical systems.
This analysis is based on publicly available information and vendor advisories current as of the publication date. Patch version numbers, KB articles, and specific remediation steps should be verified directly against Microsoft's official security updates and your organization's vulnerability management system. SEC.co does not provide real-time exploit tracking or guarantee the absence of active exploitation. Organizations must conduct their own risk assessment and threat intelligence review. This vulnerability analysis is for informational purposes and does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-59609MEDIUMQualcomm MBSSID Information Disclosure (MEDIUM 5.5)
- CVE-2026-11787MEDIUM389 Directory Server Buffer Over-read in LDAP Filter Parsing
- CVE-2026-45684MEDIUMOpenTelemetry eBPF Instrumentation Buffer Over-Read Vulnerability
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution