HIGH 7.8

CVE-2026-42837: Windows Projected File System Filter Driver Privilege Escalation Vulnerability

A flaw in Windows' Projected File System Filter Driver allows a local attacker with basic user permissions to read memory outside of intended boundaries and gain elevated system privileges. The vulnerability requires the attacker to already have local access to the machine—they cannot exploit it remotely over a network. This is a local privilege escalation risk affecting multiple versions of Windows 10, Windows 11, and Windows Server.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-125
Affected products
19 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Out-of-bounds read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42837 is an out-of-bounds read vulnerability (CWE-125) in the Windows Projected File System Filter Driver. The driver fails to properly validate memory access bounds, permitting an authenticated local attacker to read kernel or system memory regions beyond the intended access scope. Exploitation results in privilege escalation to SYSTEM context. The vulnerability has a CVSS 3.1 score of 7.8 (HIGH), with a local attack vector, low attack complexity, low privilege requirement, and no user interaction needed. Impact is complete across confidentiality, integrity, and availability.

Business impact

Successful exploitation enables attackers with user-level access to gain administrative control of affected systems. This can lead to data exfiltration, installation of malicious software, lateral movement within your environment, and persistent compromise. The risk is elevated in shared or multi-tenant environments where user segregation is relied upon for security. Affected organizations must prioritize patch deployment to prevent insider or low-privileged attacker escalation scenarios.

Affected systems

The vulnerability affects Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2019, Windows Server 2022, and Windows Server 2025. Both client and server deployments across multiple versions and release channels require remediation. Check your organization's Windows edition and version inventory against this list to determine scope.

Exploitability

The vulnerability requires local system access and valid user credentials—it is not remotely exploitable over a network. However, the low attack complexity and minimal privilege requirements make it accessible to any authenticated user on a compromised or untrusted machine. Exploitation does not require user interaction. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities catalog, but this does not indicate absence of practical exploits in the wild.

Remediation

Microsoft will address this vulnerability through Windows Update. Organizations should apply security updates to all affected Windows 10, Windows 11, and Windows Server systems as they become available. Verify patch version numbers and deployment status against the official Microsoft security advisory. In the interim, restrict local access to trusted users, enforce strong authentication policies, and monitor for suspicious privilege escalation attempts on vulnerable systems.

Patch guidance

Monitor Microsoft's official security bulletin for CVE-2026-42837 for patch release dates and version numbers specific to your Windows edition and version. Coordinate patch deployment through your standard change management process, prioritizing server infrastructure and systems with elevated risk (domain controllers, administrative workstations, shared systems). Test patches in a non-production environment before broad rollout. Document patch application status to ensure complete coverage.

Detection guidance

Monitor Windows security event logs for unusual privilege escalation events (Event ID 4688, 4689), unexpected system calls to the Projected File System Filter Driver, and failed/successful token elevation attempts. Endpoint Detection and Response (EDR) solutions should be configured to flag attempts to read kernel memory regions or access restricted memory addresses. Network monitoring for lateral movement post-exploitation may indicate active abuse. Establish baseline behavior for your environment before applying patches to aid detection of exploitation attempts.

Why prioritize this

This vulnerability merits immediate prioritization due to its HIGH CVSS score (7.8), broad impact across Windows 10, 11, and Server versions, and the severe consequences of privilege escalation. Although local access is required, the low barrier to exploitation (low complexity, low privilege requirement) and the prevalence of shared/multi-user systems mean risk is not negligible. Server environments and administrative workstations should be patched first. The absence from CISA KEV should not delay action—this is a critical privilege escalation vector that must be closed.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects an out-of-bounds read with direct privilege escalation impact. The local attack vector and low privilege/complexity requirements lower barrier to exploitation for insiders or low-privileged attackers. However, the requirement for initial local access prevents a critical (9.0+) rating. Complete confidentiality, integrity, and availability impact justifies the HIGH severity. Organizations with many local user accounts, shared systems, or remote desktop environments face elevated practical risk.

Frequently asked questions

Can this vulnerability be exploited remotely over the internet?

No. The vulnerability requires local system access and valid user credentials. It cannot be exploited over the network directly. However, if an attacker gains initial local access through another means (e.g., malware, compromised account), they can use this flaw to escalate to administrative privileges.

What user privilege level is required to exploit this vulnerability?

An attacker needs to be an authenticated local user with standard (non-administrative) privileges. They cannot be a guest account, but they do not need administrative or system-level access to begin exploitation. This makes it a significant risk in multi-user or shared system environments.

Is there a workaround if we cannot patch immediately?

There is no known workaround that eliminates the risk. Mitigation focuses on restricting local user access to trusted individuals, enforcing strong credential policies, disabling unnecessary remote access services, and implementing EDR monitoring to detect exploitation attempts. Patching is the definitive remediation.

How do we verify if our systems are patched?

Check your Windows version and build number in System Properties or via PowerShell (Get-WmiObject Win32_OperatingSystem). Cross-reference against Microsoft's security advisory for CVE-2026-42837 to confirm patch version numbers for your specific edition. Use WSUS, Windows Update for Business, or third-party patch management tools to track deployment status across your fleet.

This analysis is based on vulnerability data current as of the publication date and CVSS scores provided by the source. Patch version numbers, availability dates, and vendor advisories must be verified against official Microsoft security bulletins before deployment. Exploitation risks vary based on organizational architecture, user segregation policies, and network controls. Organizations should conduct internal risk assessment and consult vendor advisories for definitive guidance on patch applicability and deployment timelines. SEC.co provides analysis for informational purposes and does not guarantee protection or compliance outcomes. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).