HIGH 7.8

CVE-2026-45593: Windows SDK Use-After-Free Privilege Escalation

A use-after-free memory flaw in the Windows SDK enables a user with local access to gain elevated privileges on affected Windows systems. The vulnerability requires the attacker to be authenticated and logged in, but does not need user interaction to trigger. An attacker exploiting this could gain System-level access, potentially allowing them to install malware, modify system configurations, or access sensitive data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-190, CWE-416
Affected products
19 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Windows SDK allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45593 is a use-after-free vulnerability (CWE-416) in the Windows SDK affecting multiple versions of Windows 10, Windows 11, and Windows Server. The flaw stems from improper memory management where a pointer to a freed memory location is dereferenced, allowing an authenticated local attacker to execute arbitrary code with elevated privileges. The vulnerability also involves integer-related memory handling (CWE-190). With a CVSS 3.1 score of 7.8 (HIGH), the attack vector is local, requires low complexity, needs prior user privileges, and causes high impact across confidentiality, integrity, and availability.

Business impact

Organizations relying on Windows 10 and Windows 11 desktops, as well as Windows Server 2019, 2022, and 2025 infrastructure, face a direct privilege escalation risk. A compromised user account—whether through phishing, credential theft, or lateral movement—can be weaponized to gain System privileges without additional exploitation. This undermines endpoint hardening strategies and creates a pathway for attackers to achieve persistent, elevated access. Risk is elevated in multi-tenant or shared-workstation environments where user isolation is critical.

Affected systems

The vulnerability affects Windows 10 (versions 1809, 21H2, and 22H2), Windows 11 (versions 23H2, 24H2, 25H2, and 26H1), and Windows Server editions 2019, 2022, and 2025. Organizations running any of these versions should assume exposure unless a patch has been applied. Note that the older Windows 10 1809 appears in the affected list; verify patch availability for out-of-mainstream-support versions with Microsoft.

Exploitability

The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the low attack complexity and local-access prerequisite make it a natural target for privilege escalation chains once an attacker gains initial user-level access. Exploitation requires no user interaction, only that the attacker possess valid credentials. The barrier to exploit is technical knowledge rather than social engineering.

Remediation

Apply security updates from Microsoft as soon as they become available for your Windows version. Organizations should prioritize patching based on the criticality of affected systems—servers and administrative workstations should be addressed first. For systems where patching is delayed, enforce application whitelisting, restrict local logon privileges, and monitor for suspicious memory corruption patterns as interim controls.

Patch guidance

Contact Microsoft's Security Update Guide or your organization's patch management system for the specific update version targeting this vulnerability on your Windows version. Test patches in a non-production environment to confirm compatibility with legacy applications and system configurations. Given the breadth of affected versions, coordinate patching across Windows 10, Windows 11, and Windows Server ecosystems in a phased rollout to minimize business disruption.

Detection guidance

Monitor Windows event logs for unusual process privilege escalation events, particularly those involving System token impersonation or unexpected token elevation. Security tools capable of detecting memory corruption exploits—such as control-flow integrity checks and heap spray detection—may identify active exploitation attempts. Network detection is limited since the attack is local; focus on endpoint detection and response (EDR) capabilities to catch post-exploitation activity such as lateral movement or data exfiltration following successful privilege escalation.

Why prioritize this

A CVSS score of 7.8 coupled with broad Windows version coverage justifies immediate attention. While not yet exploited in the wild (KEV status: false), the uncomplicated attack path and high impact make this a prime vector for attackers seeking to escalate compromised user accounts. Environments with strict access controls and air-gapped networks face lower risk; those with shared workstations or frequent third-party access should elevate priority.

Risk score, explained

The HIGH severity reflects the combination of low attack complexity, the authenticated-but-not-interactive nature of the attack, and the severity of impact (full System-level compromise). The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H captures a local, low-complexity attack requiring prior user privileges with no user interaction, resulting in high confidentiality, integrity, and availability impact. The lack of KEV status slightly mitigates urgency compared to actively exploited flaws, but the inherent risk remains substantial.

Frequently asked questions

Do I need administrator privileges to be exploited by this vulnerability?

No. The vulnerability requires only standard user-level privileges (PR:L in the CVSS vector). An attacker with any valid, authenticated local user account can exploit it to escalate to System privileges, making it particularly dangerous in shared-workstation or multi-user environments.

Is there a workaround if I cannot patch immediately?

There is no known workaround that eliminates the risk. Interim mitigations include restricting who can log on locally (via Group Policy or access control lists), disabling unnecessary services, and implementing behavioral monitoring via EDR tools. However, patching remains the only reliable remediation.

Why is this not on CISA's KEV catalog yet?

The KEV catalog tracks vulnerabilities with confirmed active exploitation in the wild. This vulnerability was published on June 9, 2026, and as of the latest data snapshot, no public exploits have been observed. This does not mean exploitation is impossible—only that it has not been weaponized at scale. Organizations should not treat the lack of KEV status as a signal to deprioritize patching.

How does this differ from typical local privilege escalation bugs?

This particular flaw involves a use-after-free condition in the Windows SDK, meaning it stems from fundamental memory handling rather than a logic error in access control. This can make it more reliable to exploit since memory corruption vulnerabilities are often exploitable across multiple code paths. The involvement of both CWE-190 (integer overflow) and CWE-416 (use-after-free) suggests the vulnerability may involve integer arithmetic that affects memory bounds.

This analysis is provided for informational purposes and reflects publicly available information as of June 2026. Organizations should verify patch availability and compatibility with their specific Windows versions through Microsoft's official security advisories. The absence of KEV status or observed exploitation does not guarantee the absence of attacks; defense-in-depth strategies are recommended. Consult with your security team or Microsoft support for environment-specific remediation guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).