CVE-2026-45636: Windows NTFS Heap Buffer Overflow RCE Vulnerability
A heap-based buffer overflow vulnerability exists in Windows NTFS that allows an attacker with local access to execute arbitrary code on affected systems. The vulnerability requires user interaction—such as opening a specially crafted file—but does not require elevated privileges to trigger. Once exploited, an attacker can achieve full system compromise including reading sensitive data, modifying files, and disrupting system availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-122, CWE-20
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45636 is a heap-based buffer overflow (CWE-122) in the Windows NTFS subsystem stemming from improper input validation (CWE-20). The flaw exists in how NTFS processes certain file structures in memory, allowing an attacker to overflow a heap buffer and corrupt adjacent memory regions. By crafting a malicious NTFS file and convincing a user to access it—either through browsing a directory, opening it directly, or via another file operation—an attacker can trigger the overflow and gain code execution at the privilege level of the interacting user. The attack surface is limited to local access scenarios, but the lack of privilege requirements and relatively straightforward user interaction make the vulnerability practically exploitable in real-world environments.
Business impact
Organizations running affected Windows systems face risk of data theft, ransomware deployment, and business interruption. An attacker gaining code execution can steal intellectual property, exfiltrate customer data, deploy lateral movement tools, or encrypt files for extortion. The vulnerability is particularly concerning in shared environments—including multi-tenant systems, kiosks, and hotdesking scenarios—where untrusted users or guest accounts could weaponize the flaw. Organizations should prioritize inventory of affected Windows versions and assess exposure in scenarios where users regularly access files from external or untrusted sources.
Affected systems
The vulnerability affects a broad range of Windows client and server products: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2012, 2016, 2019, 2022, and 2025. In practice, this spans the majority of Windows deployments in enterprises and consumer environments. Older versions like Windows 10 1607 and Windows Server 2012 remain in use in some organizations, often in legacy or purpose-built systems, and are equally vulnerable.
Exploitability
The vulnerability requires local access and user interaction, which moderately constrains its exploitability. However, user interaction is a low bar in practice—opening a file, browsing a folder, or previewing content is routine. An attacker could distribute a malicious file via email, USB, file-sharing services, or compromised websites. The lack of privilege escalation requirements means a standard user account is sufficient, further lowering the barrier. While not remotely exploitable over the network, the weakness is practically dangerous in any environment where files from external or less-trusted sources are accessed. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but this does not indicate unavailability of exploit code or researcher proof-of-concept demonstrations.
Remediation
Microsoft has released security updates to address this vulnerability. Organizations should obtain and deploy the latest cumulative security update for their Windows version via Windows Update or WSUS. For Windows 10, the relevant updates correspond to the June 2026 security release and later. For Windows 11, updates are available for all supported versions. Windows Server administrators should apply the June 2026 cumulative update or later. Testing patches in non-production environments before broad deployment is recommended, particularly for critical servers. Organizations unable to patch immediately should implement compensating controls such as file access restrictions, disabling NTFS-based features if not required, and blocking external file sources at network boundaries.
Patch guidance
Verify the latest cumulative update from Microsoft's official Security Update Guide or Windows Release Notes for your specific Windows version and build number. Updates are typically released on the second Tuesday of each month. Organizations using Windows Server Update Services (WSUS) should ensure their environment is synchronized with the latest patches. For consumer and small business environments, enabling automatic Windows Update ensures timely deployment. Test patches in a lab environment mirroring production configurations before broad rollout, particularly for servers running mission-critical workloads. Document patch deployment status and maintain records for compliance audits.
Detection guidance
Monitor for suspicious file access patterns and NTFS anomalies through Windows Event Viewer (Event ID 4659 for file access auditing). Endpoint detection and response (EDR) tools should be configured to flag unexpected code execution originating from user-mode file operations or processes accessing NTFS structures abnormally. Intrusion detection systems can monitor for suspicious NTFS file handling and memory corruption signatures. Organizations may also configure Windows Defender/Microsoft Defender for endpoint-level detection. Host-based file integrity monitoring (FIM) can identify unauthorized modifications to system binaries or data files post-compromise. Logs should be centralized and retained for forensic analysis.
Why prioritize this
This vulnerability merits urgent priority due to its HIGH CVSS score (7.8), broad system coverage spanning Windows 10, 11, and multiple Server versions, and practical exploitability via user interaction without privilege escalation. The heap-based buffer overflow is a well-understood primitive that enables full code execution, and the low barriers to triggering the flaw mean compromise is achievable in common scenarios. While not yet tracked in CISA KEV, the combination of severity and applicability makes rapid patching essential.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (users must directly interact with a malicious file), low attack complexity (simple file access triggers the flaw), no privilege requirement, user interaction present (moderate friction but routine in practice), and impact on confidentiality, integrity, and availability (all high—code execution allows data theft, system modification, and denial of service). The score does not account for organizational context; adjust local risk ratings based on exposure (e.g., environments with high external file handling warrant critical prioritization).
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. The vulnerability requires local access to the affected system and user interaction with a malicious file. It cannot be exploited over the network without an attacker first gaining local access or tricks a user into accessing a file. However, the attacker could deliver the malicious file via email, removable media, or file-sharing services, after which local user interaction triggers the flaw.
Do I need administrator privileges to be exploited by this vulnerability?
No. The vulnerability can be triggered by a standard user account without elevated privileges. An attacker who gains code execution through this flaw would run with the privileges of the user who triggered it, but that is sufficient for data theft, lateral movement, and deployment of malware in many attack scenarios.
Is there a workaround if I cannot patch immediately?
While patching is the primary remediation, interim measures include restricting user access to untrusted file sources, disabling unnecessary NTFS features if organizationally feasible, enforcing strict file-type whitelisting, and isolating critical systems from environments where external files are regularly accessed. Endpoint detection and response tools can also provide detection and containment of exploitation attempts.
How do I know which Windows version and build I am running?
On Windows client systems, press Windows+R, type 'winver', and press Enter to display your OS version and build number. On servers, use 'systeminfo' command in Command Prompt or 'Get-ComputerInfo' in PowerShell. Cross-reference your build against the affected versions list (Windows 10 1607, 1809, 21H2, 22H2; Windows 11 23H2, 24H2, 25H2, 26H1; and Windows Server 2012, 2016, 2019, 2022, 2025) to determine if you are impacted.
This analysis is provided for informational purposes and does not constitute legal or professional security advice. Organizations should conduct their own risk assessment and verification of affected systems. Patch versions, release dates, and vendor advisories are subject to change; verify current status against official Microsoft Security Update Guide. SEC.co makes no warranty regarding the completeness or accuracy of this information relative to your specific environment. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-44811HIGHWindows DWM Heap Overflow Privilege Escalation Vulnerability
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10942HIGHGoogle Chrome Windows Privilege Escalation Vulnerability
- CVE-2026-10946HIGHChrome Heap Buffer Overflow in Media Processing—Patch Guidance