CVE-2026-45605: Windows Bluetooth Service Use-After-Free Privilege Escalation
A use-after-free vulnerability in Windows Bluetooth Service enables local privilege escalation when exploited by an authenticated user. The flaw resides in memory management within the Bluetooth subsystem, allowing an attacker with valid credentials to corrupt memory and gain higher system privileges. This is not a remote attack and requires prior local access to the system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 22 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45605 is a use-after-free vulnerability (CWE-416) affecting the Windows Bluetooth Service. The vulnerability exists in the Bluetooth stack's memory handling routines, where freed memory may be referenced after deallocation. An authorized local attacker can trigger this condition through crafted Bluetooth-related system calls, leading to memory corruption. The attacker context requires low privileges (PR:L in the CVSS vector), meaning the attacker needs a valid user account but not administrative rights. Successful exploitation results in complete compromise of system confidentiality, integrity, and availability from within the local system boundary.
Business impact
Privilege escalation vulnerabilities in core Windows services represent a significant insider threat and lateral movement risk in enterprise environments. An employee or contractor with standard user access could escalate to SYSTEM privileges, potentially leading to data theft, malware installation, compliance violations, and persistence mechanisms. In multi-user or terminal server environments, this becomes particularly critical, as a compromised standard user account can compromise the entire host. Organizations running Bluetooth-enabled Windows endpoints face elevated risk of privilege escalation attacks, especially in environments where user isolation is relied upon for security controls.
Affected systems
The vulnerability affects Windows 10 versions 1607, 1809, 21H2, and 22H2, as well as Windows 11 versions 23H2, 24H2, 25H2, and 26H1. Windows Server 2016, 2019, 2022, and 2025 are also impacted. The scope is broad across both consumer and server editions, spanning multiple release channels and support lifecycles. Organizations running any of these Windows versions with Bluetooth functionality enabled should prioritize assessment and patching.
Exploitability
The attack has low complexity (AC:L), meaning the exploitation path is straightforward once the attacker obtains local system access. However, this vulnerability is not self-propagating and requires pre-existing user authentication on the target machine. The use-after-free condition must be reliably triggered, which may require knowledge of specific Bluetooth operations or timing. No evidence of active exploitation in the wild is currently recorded (KEV status: not listed). The practical barrier remains the need for an authorized local account, limiting opportunistic exploitation in most scenarios.
Remediation
Microsoft has released security updates addressing this vulnerability across all affected platforms. Organizations should consult the official Microsoft Security Update Guide and verify patch availability for their specific Windows versions. Apply updates through Windows Update, WSUS, or manual installation as appropriate for your environment. For systems where Bluetooth is not required, disabling the Bluetooth Service reduces exposure, though this may impact user workflows on laptops and mobile devices. Verify patch application through Windows Update history or security patch verification tools.
Patch guidance
Obtain the latest cumulative security update or monthly rollup for your Windows version from Microsoft's official channels. Test patches in a controlled environment before broad deployment to ensure compatibility with organizational applications and drivers. For Windows 10, verify your current version (1607, 1809, 21H2, or 22H2) and apply the corresponding patch bundle. For Windows 11, confirm your version (23H2, 24H2, 25H2, or 26H1) and deploy the latest cumulative update. For Windows Server editions, coordinate patching with change management processes to minimize service disruption. Document patch dates and versions applied for audit and compliance purposes.
Detection guidance
Monitor for unusual Bluetooth Service process behavior, including unexpected crashes or restarts of the btssvc.exe or related Bluetooth driver processes. Implement Windows Event Log monitoring for security events related to privilege escalation (Event ID 4688 for process creation with elevated tokens). Use host-based intrusion detection to flag successful token elevation attempts, particularly from low-privilege processes. In environments with behavioral analytics, watch for user accounts performing unexpected privileged operations immediately following Bluetooth-related system calls. Endpoint detection and response (EDR) platforms should flag suspicious memory corruption attempts or use-after-free exploitation patterns.
Why prioritize this
This vulnerability warrants HIGH priority due to its HIGH CVSS score (7.8), the breadth of affected Windows versions spanning both enterprise and consumer ecosystems, and the direct impact on privilege escalation—a critical attack objective in post-compromise scenarios. While the KEV catalog does not currently list active exploitation, the ease of exploitation (AC:L) and complete system compromise potential (C:H/I:H/A:H) mean rapid patching is essential. Insider threats and lateral movement attacks commonly exploit local privilege escalation vectors, making this a key control point for defense-in-depth strategies.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects the combination of local attack vector, low attack complexity, low privilege requirement, and complete compromise of confidentiality, integrity, and availability. The 'S:U' (Scope Unchanged) indicates the impact is confined to the vulnerable component and processes running on it, not other isolated systems. The severity is driven primarily by the privilege escalation impact—an attacker gaining SYSTEM-level access from a standard user context—rather than remote exploitability. Organizations relying on user account isolation for security controls should treat this as a critical gap.
Frequently asked questions
Do I need Bluetooth enabled for this vulnerability to affect me?
Yes, the Bluetooth Service must be present and functional. However, the service may be enabled by default on most Windows installations, even on systems where Bluetooth hardware is not actively used. Verify your Bluetooth Service status and disable it if not operationally required to reduce attack surface.
Does this vulnerability allow remote exploitation?
No. The attack vector is strictly local (AV:L), meaning the attacker must first obtain an account with login privileges on the target machine. This is not a remote code execution vulnerability and cannot be exploited over the network.
What is the difference between this and a critical-rated vulnerability?
This vulnerability is rated HIGH (7.8) rather than CRITICAL because it requires prior local authentication and has a smaller potential impact scope. Critical vulnerabilities typically involve unauthenticated remote code execution or widespread service disruption. This vulnerability is still serious and should be patched promptly, particularly in environments where insider threat or lateral movement is a concern.
How long until Microsoft stops supporting affected Windows versions?
Support lifecycles vary: Windows 10 versions are nearing or have reached end-of-support (verify Microsoft's lifecycle calendar), while Windows 11 and Windows Server 2022/2025 have extended support windows. Plan your patching and upgrade strategy according to your organization's support policy and Microsoft's official timeline.
This analysis is provided for informational purposes to support security operations and vulnerability management. SEC.co makes no warranty as to the accuracy or completeness of this information. Patch version numbers, KEV status, and affected product lists are sourced from official vendor advisories and CISA records and should be verified against those primary sources before operational deployment. Organizations should conduct their own risk assessment based on their specific environments, business criticality, and threat models. The absence of current KEV listing does not indicate absence of exploit activity; consult threat intelligence feeds and CISA alerts for the latest operational information. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability