HIGH 7.8

CVE-2026-45600: Windows Kernel Type Confusion Privilege Escalation (CVSS 7.8)

A type confusion flaw exists in Windows kernel-mode drivers that allows a user already logged into a Windows system to escalate their privileges to a higher level of access. An attacker would need valid credentials and local access to exploit this issue. The vulnerability affects recent versions of Windows 11 and Windows Server 2025.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-843
Affected products
7 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Access of resource using incompatible type ('type confusion') in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45600 is a type confusion vulnerability (CWE-843) in Windows kernel-mode drivers. Type confusion occurs when code attempts to access a resource using an incompatible data type, potentially causing the kernel to misinterpret memory contents. An authenticated local attacker can trigger this condition to achieve privilege escalation. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects that the attack requires local access and an existing user account, but no additional authentication complexity—once triggered, the attacker gains complete confidentiality, integrity, and availability impact within the system context.

Business impact

Privilege escalation vulnerabilities in Windows kernel drivers represent a significant business risk because they enable attackers who have gained initial user-level access—whether through phishing, malware, or insider threats—to assume administrative control. This can lead to lateral movement, installation of persistent backdoors, theft of sensitive data, system manipulation, and compliance violations. Organizations running Windows 11 or Windows Server 2025 in production should treat this as a priority since compromised systems can become staging points for attacks on the wider infrastructure.

Affected systems

The vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025. Organizations should verify their exact build and servicing channel, as cumulative updates may already include patches. Check Settings > System > About or run 'winver' to confirm your version.

Exploitability

Exploitation requires that an attacker already possess valid credentials and local system access—this is not a remote vulnerability. However, the lack of user interaction (UI:N) and low attack complexity (AC:L) mean that once an attacker clears that threshold, triggering the flaw is straightforward. This makes the vulnerability particularly dangerous in shared or high-trust environments (shared workstations, terminal servers, developer machines). It is not currently known to be exploited in the wild or included in public exploit databases, but the low exploitation barrier suggests this status may change.

Remediation

Apply the latest cumulative security updates from Microsoft for your Windows version. Verify the patch date aligns with the vulnerability publication (June 2026) and later. Additionally, enforce principle of least privilege: restrict local admin rights, disable unnecessary kernel drivers, and segregate system access by role. Monitor driver loading and kernel API calls in sensitive environments using endpoint detection and response (EDR) tools.

Patch guidance

Visit the Microsoft Security Update Guide and search for CVE-2026-45600 to find the specific KB article and cumulative update for your Windows version. Windows Update should deliver patches automatically if you have automatic updates enabled. For Windows Server 2025, prioritize patching in test environments first given the criticality of server uptime. Verify patch installation by confirming the new build number post-reboot matches the advisory guidance.

Detection guidance

Monitor event logs for unusual kernel-mode driver activity and privilege escalation attempts. EDR solutions should flag abnormal syscall patterns or unexpected context switches to SYSTEM privilege level. Look for indicators including: processes launching with elevated tokens without corresponding UAC prompts, unexpected driver loading (check Event ID 7 in System logs), and anomalous memory access patterns in user-mode processes touching kernel structures. Kernel tracing and behavioral anomaly detection are more effective than signature-based detection for type confusion flaws.

Why prioritize this

Despite not being tracked in CISA's Known Exploited Vulnerabilities catalog, this HIGH-severity kernel privilege escalation should be prioritized because: (1) it affects actively maintained, widely deployed Windows versions; (2) local privilege escalation is a critical attack primitive that enables further compromise; (3) the attack is low-friction once initial access is achieved; (4) kernel-level access is difficult to detect and remediate. Patching should occur within 30 days for most environments, and sooner for high-risk systems (financial, healthcare, critical infrastructure).

Risk score, explained

The CVSS score of 7.8 reflects a HIGH-severity vulnerability. While it requires local access and pre-existing credentials (reducing attack surface compared to network attacks), the consequences are severe: unrestricted privilege escalation grants attackers complete control over the system. The kernel-mode nature elevates the severity beyond user-mode privilege escalation flaws, as kernel compromise enables anti-forensics, persistence mechanisms, and attacks on other system components. Organizations relying on user-account isolation as a security boundary should weight this risk higher.

Frequently asked questions

Can this vulnerability be exploited over the network or remotely?

No. This vulnerability requires local system access and valid user credentials. It cannot be exploited remotely or over a network connection. However, if an attacker has already gained user-level access through remote compromise (phishing malware, RDP, etc.), this flaw becomes a pathway to full system control.

Do all Windows 11 and Windows Server 2025 systems need to be patched?

Yes, all instances of Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025, are affected. However, if you have already installed cumulative updates released after June 9, 2026, you may already have the patch. Verify your build number against the Microsoft security advisory to confirm.

What is a 'type confusion' vulnerability and why is it dangerous?

Type confusion occurs when code mistakenly treats data as a different data type than it actually is. In kernel mode, this can cause the system to misinterpret memory contents, leading to unauthorized access or control. Kernel-level type confusion is especially dangerous because it bypasses many user-mode protections and can give an attacker direct hardware access and full system control.

If we cannot patch immediately, what interim steps reduce risk?

Apply the principle of least privilege: remove unnecessary user administrative rights, disable or restrict unused kernel drivers, and monitor driver loading events. Use application whitelisting and EDR tools to detect anomalous privilege escalation attempts. Isolate high-value systems and restrict who can log in locally. However, these are temporary measures—patching should remain the priority.

This analysis is based on vendor data and public security research as of June 2026. CVSS scores, patch versions, and affected products are sourced from the official vulnerability record. No exploit code or weaponized proof-of-concept is provided. Organizations must verify patch applicability against their specific builds and test in non-production environments before deployment. SEC.co makes no warranty regarding the completeness or accuracy of detection guidance; endpoint detection and response effectiveness varies by tool and environment configuration. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).