CVE-2026-45640: Windows Bluetooth Port Driver Use-After-Free Privilege Escalation
A use-after-free vulnerability in the Windows Bluetooth Port Driver permits a user with local system access to escalate their privileges to a higher level. The flaw exists because the driver fails to properly manage memory when Bluetooth port operations conclude, leaving a freed memory region accessible for malicious manipulation. An attacker must already have some level of local authentication and user rights to exploit this issue, but successful exploitation grants full system control.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 16 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Windows Bluetooth Port Driver allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45640 is a use-after-free vulnerability (CWE-416) in the Windows Bluetooth Port Driver that allows privilege escalation. The driver does not correctly invalidate or release memory references after Bluetooth port operations complete, enabling a local authenticated user to reference freed memory and corrupt kernel-mode state. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects local access requirement, high attack complexity, low privilege requirement, and confidentiality, integrity, and availability impacts. Exploitation does not require user interaction.
Business impact
Successful exploitation results in privilege escalation on affected Windows systems, allowing an authenticated attacker to assume administrative or system-level permissions. This compromises confidentiality, integrity, and availability of the host and any sensitive data it processes or stores. Organizations running affected Windows versions in shared or multi-tenant environments face elevated risk, as any local user account becomes a vector for full system compromise. Critical services or data processing pipelines on these systems require immediate attention.
Affected systems
The vulnerability affects Windows 10 versions 21H2 and 22H2, Windows 11 versions 23H2, 24H2, 25H2, and 26H1, as well as Windows Server 2022 and Windows Server 2025. Both client and server operating systems across multiple release channels are impacted, making this a broad-reach issue across Microsoft's current and near-current supported product line.
Exploitability
Exploitation requires local system access and valid user credentials; remote exploitation is not feasible. The attack complexity is rated as high, suggesting the technique demands specific timing, memory layout knowledge, or environmental conditions to succeed reliably. However, because the attacker already holds local authentication, the barrier to attempted exploitation is moderate rather than high. No public exploit code or active in-the-wild abuse has been confirmed as of the publication date.
Remediation
Apply security updates released by Microsoft for this vulnerability as soon as possible. Organizations should prioritize systems that run Bluetooth services, handle multi-user access, or process sensitive data. Verify patch availability and compatibility with your infrastructure before deployment. In parallel, implement or reinforce least-privilege access policies to limit the number of local user accounts and reduce the attack surface for privilege escalation attacks.
Patch guidance
Microsoft has released security updates addressing this vulnerability across all affected product versions. Verify the specific update availability for your Windows 10 and Windows 11 versions, as well as Server 2022 and 2025 deployments, through Windows Update or the Microsoft Security Update Guide. Test patches in a non-production environment first to confirm compatibility with Bluetooth hardware and any dependent drivers or applications. Deploy updates to client machines and servers on a prioritized timeline based on your risk assessment.
Detection guidance
Monitor for abnormal Bluetooth driver activity, unexpected privilege escalation events, and suspicious kernel-mode memory access patterns on endpoints. Log authentication events on local user accounts and cross-reference with unusual process execution or system calls. Endpoint Detection and Response (EDR) solutions should flag attempts to manipulate freed memory or interact with the Bluetooth port driver in unexpected ways. Kernel debugging tools and Windows Event Viewer logs (Security and System channels) can reveal suspicious Bluetooth-related activity in post-incident analysis.
Why prioritize this
This vulnerability warrants rapid patching due to its local privilege escalation capability and broad impact across Windows client and server platforms. While exploitation requires prior local access, the widespread presence of these Windows versions in enterprise environments and the severity of privilege escalation attacks make this a critical security priority. The high CVSS score (7.0) and complete system compromise potential justify urgent remediation scheduling.
Risk score, explained
The CVSS 3.1 score of 7.0 (HIGH) reflects a local-access-only vulnerability with moderate attack complexity, legitimate user privileges required as a prerequisite, and high impact on confidentiality, integrity, and availability. The score appropriately penalizes the pre-requisite local authentication requirement while acknowledging that an authenticated attacker can fully compromise the system. Organizations with stringent access controls may reduce their practical risk; those with permissive local account policies or shared systems face elevated real-world exposure.
Frequently asked questions
Do we need local administrative privileges to exploit this vulnerability?
No. An attacker needs valid local user credentials and some level of system access, but not administrative privileges. This makes the vulnerability more accessible than it might initially appear, especially in shared computing environments or systems with many local accounts.
Is this vulnerability actively being exploited in the wild?
As of the publication date, there is no confirmed evidence of active exploitation in the wild. However, privilege escalation vulnerabilities in widely deployed operating systems can attract interest from threat actors, so timely patching remains essential.
Can this be exploited remotely, such as through a network connection?
No. The attack vector is strictly local (AV:L in the CVSS vector). Remote exploitation over Bluetooth or network protocols is not feasible. An attacker must have interactive access or a valid local account on the affected system.
Which Windows versions should we prioritize for patching?
Patch all affected versions, but prioritize Windows 11 versions and Windows Server deployments in production environments first, as these tend to be deployed in higher-value or multi-user scenarios. Windows 10 systems should follow quickly behind.
This analysis is provided for informational purposes and does not constitute official vendor guidance. Verify all patch version numbers, release dates, and affected product lists against Microsoft's official security advisories and the Windows Security Update Guide before deploying patches. CVSS scores are accurate as of the publication date; consult NIST or vendor advisories for the authoritative vector and scoring rationale. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the analysis date. Organizations should evaluate risk based on their specific infrastructure, access controls, and threat landscape. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability