HIGH 7.0

CVE-2026-45640: Windows Bluetooth Port Driver Use-After-Free Privilege Escalation

A use-after-free vulnerability in the Windows Bluetooth Port Driver permits a user with local system access to escalate their privileges to a higher level. The flaw exists because the driver fails to properly manage memory when Bluetooth port operations conclude, leaving a freed memory region accessible for malicious manipulation. An attacker must already have some level of local authentication and user rights to exploit this issue, but successful exploitation grants full system control.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
16 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Windows Bluetooth Port Driver allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45640 is a use-after-free vulnerability (CWE-416) in the Windows Bluetooth Port Driver that allows privilege escalation. The driver does not correctly invalidate or release memory references after Bluetooth port operations complete, enabling a local authenticated user to reference freed memory and corrupt kernel-mode state. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects local access requirement, high attack complexity, low privilege requirement, and confidentiality, integrity, and availability impacts. Exploitation does not require user interaction.

Business impact

Successful exploitation results in privilege escalation on affected Windows systems, allowing an authenticated attacker to assume administrative or system-level permissions. This compromises confidentiality, integrity, and availability of the host and any sensitive data it processes or stores. Organizations running affected Windows versions in shared or multi-tenant environments face elevated risk, as any local user account becomes a vector for full system compromise. Critical services or data processing pipelines on these systems require immediate attention.

Affected systems

The vulnerability affects Windows 10 versions 21H2 and 22H2, Windows 11 versions 23H2, 24H2, 25H2, and 26H1, as well as Windows Server 2022 and Windows Server 2025. Both client and server operating systems across multiple release channels are impacted, making this a broad-reach issue across Microsoft's current and near-current supported product line.

Exploitability

Exploitation requires local system access and valid user credentials; remote exploitation is not feasible. The attack complexity is rated as high, suggesting the technique demands specific timing, memory layout knowledge, or environmental conditions to succeed reliably. However, because the attacker already holds local authentication, the barrier to attempted exploitation is moderate rather than high. No public exploit code or active in-the-wild abuse has been confirmed as of the publication date.

Remediation

Apply security updates released by Microsoft for this vulnerability as soon as possible. Organizations should prioritize systems that run Bluetooth services, handle multi-user access, or process sensitive data. Verify patch availability and compatibility with your infrastructure before deployment. In parallel, implement or reinforce least-privilege access policies to limit the number of local user accounts and reduce the attack surface for privilege escalation attacks.

Patch guidance

Microsoft has released security updates addressing this vulnerability across all affected product versions. Verify the specific update availability for your Windows 10 and Windows 11 versions, as well as Server 2022 and 2025 deployments, through Windows Update or the Microsoft Security Update Guide. Test patches in a non-production environment first to confirm compatibility with Bluetooth hardware and any dependent drivers or applications. Deploy updates to client machines and servers on a prioritized timeline based on your risk assessment.

Detection guidance

Monitor for abnormal Bluetooth driver activity, unexpected privilege escalation events, and suspicious kernel-mode memory access patterns on endpoints. Log authentication events on local user accounts and cross-reference with unusual process execution or system calls. Endpoint Detection and Response (EDR) solutions should flag attempts to manipulate freed memory or interact with the Bluetooth port driver in unexpected ways. Kernel debugging tools and Windows Event Viewer logs (Security and System channels) can reveal suspicious Bluetooth-related activity in post-incident analysis.

Why prioritize this

This vulnerability warrants rapid patching due to its local privilege escalation capability and broad impact across Windows client and server platforms. While exploitation requires prior local access, the widespread presence of these Windows versions in enterprise environments and the severity of privilege escalation attacks make this a critical security priority. The high CVSS score (7.0) and complete system compromise potential justify urgent remediation scheduling.

Risk score, explained

The CVSS 3.1 score of 7.0 (HIGH) reflects a local-access-only vulnerability with moderate attack complexity, legitimate user privileges required as a prerequisite, and high impact on confidentiality, integrity, and availability. The score appropriately penalizes the pre-requisite local authentication requirement while acknowledging that an authenticated attacker can fully compromise the system. Organizations with stringent access controls may reduce their practical risk; those with permissive local account policies or shared systems face elevated real-world exposure.

Frequently asked questions

Do we need local administrative privileges to exploit this vulnerability?

No. An attacker needs valid local user credentials and some level of system access, but not administrative privileges. This makes the vulnerability more accessible than it might initially appear, especially in shared computing environments or systems with many local accounts.

Is this vulnerability actively being exploited in the wild?

As of the publication date, there is no confirmed evidence of active exploitation in the wild. However, privilege escalation vulnerabilities in widely deployed operating systems can attract interest from threat actors, so timely patching remains essential.

Can this be exploited remotely, such as through a network connection?

No. The attack vector is strictly local (AV:L in the CVSS vector). Remote exploitation over Bluetooth or network protocols is not feasible. An attacker must have interactive access or a valid local account on the affected system.

Which Windows versions should we prioritize for patching?

Patch all affected versions, but prioritize Windows 11 versions and Windows Server deployments in production environments first, as these tend to be deployed in higher-value or multi-user scenarios. Windows 10 systems should follow quickly behind.

This analysis is provided for informational purposes and does not constitute official vendor guidance. Verify all patch version numbers, release dates, and affected product lists against Microsoft's official security advisories and the Windows Security Update Guide before deploying patches. CVSS scores are accurate as of the publication date; consult NIST or vendor advisories for the authoritative vector and scoring rationale. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the analysis date. Organizations should evaluate risk based on their specific infrastructure, access controls, and threat landscape. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).