CVE-2026-47648: Windows Storage Local Privilege Escalation Vulnerability
CVE-2026-47648 is a privilege escalation vulnerability in Windows Storage that affects multiple versions of Windows 10, Windows 11, and Windows Server. An authorized local user can exploit an untrusted search path flaw to gain elevated privileges on a compromised system. The vulnerability requires local access and user interaction is not needed, but exploitation depends on specific system conditions. With a CVSS score of 7.0 (HIGH), this poses a meaningful risk to environments where local account compromise is plausible.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-426
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the Windows Storage subsystem and stems from an improper search path configuration (CWE-426: Untrusted Search Path). When the Storage service resolves executable or library dependencies, it may load a malicious file from an attacker-controlled location before checking secure system paths. An attacker with local user privileges can place a crafted DLL or executable in a predictable directory, causing the privileged Storage process to execute it. The attack vector is local (AV:L), attack complexity is high (AC:H), and the attacker requires low privileges (PR:L). Successful exploitation results in confidentiality, integrity, and availability compromise (C:H/I:H/A:H).
Business impact
Privilege escalation on Windows systems can enable attackers to move laterally within enterprise networks, install persistent backdoors, exfiltrate sensitive data, or disrupt critical services. For organizations running Windows 10 or Windows Server infrastructure, this vulnerability creates an avenue for attackers to escalate from standard user access to system-level control. The high complexity requirement may limit automated exploitation, but targeted attacks against administrative staff or service accounts remain viable. Data centers and client environments alike require attention.
Affected systems
This vulnerability affects a broad swath of Windows products: Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server editions (2012, 2016, 2019, 2022, 2025). Organizations running any of these versions should assume they are in scope. Windows Server 2025 is included, indicating the issue affects the latest server release.
Exploitability
Exploitation requires local system access and valid user credentials, limiting the attack surface to internal threats or compromised endpoints. The high attack complexity requirement suggests the vulnerability does not yield to trivial exploitation—the attacker must understand and manipulate the search path behavior in a specific way. However, it is not a theoretical flaw; the requirement for user interaction is null, meaning no social engineering is needed once local access exists. In environments with weak endpoint controls or high insider-threat risk, this becomes more actionable.
Remediation
Microsoft will address this issue through Windows Update patches. Organizations should apply security updates as released by Microsoft for affected Windows versions. Until patches are available, mitigating controls include restricting local user account creation, enforcing privilege access management (PAM) solutions, and monitoring for suspicious DLL loading within Storage service processes. Verify patch availability and version numbers directly from Microsoft's official advisory.
Patch guidance
Monitor Microsoft's June 2026 security update releases for CVE-2026-47648 patches targeting Windows 10, Windows 11, and Windows Server. Updates will be delivered through Windows Update and Microsoft Update Catalog. Organizations should test patches in non-production environments before broad deployment. Prioritize patching for systems exposed to untrusted user populations. Confirm patched versions against the official Microsoft security bulletin to ensure correctness.
Detection guidance
Monitor for unusual DLL loading from non-standard paths by the Windows Storage service (storsvc.exe or related processes). Look for executable creation in user-writable directories (temp folders, AppData) followed by Storage process spawning or loading that binary. Endpoint Detection and Response (EDR) solutions should flag CWE-426 patterns in Storage processes. Log file integrity monitoring and application whitelisting can detect unauthorized binary placement and execution. Focus detection on systems where Storage service runs with elevated privileges.
Why prioritize this
The HIGH CVSS score, coupled with local privilege escalation impact and broad product coverage, warrants priority remediation. While the attack requires local access and high complexity, the consequences—full system compromise—make this significant for any organization managing Windows infrastructure. The presence of Windows Server 2025 in the affected list indicates this is not a legacy issue. Remediate in the next scheduled security cycle, prioritizing servers and systems housing sensitive data or running as jump hosts.
Risk score, explained
The CVSS 3.1 score of 7.0 reflects a HIGH severity vulnerability with significant impact: the attacker vector is local (AV:L), reducing ambient risk but not eliminating it for multi-user systems; attack complexity is high (AC:H), requiring specialized knowledge or conditions; privileges required are low (PR:L), meaning standard users suffice; and the impact scope is unchanged (S:U). The three maxed impact metrics (C:H, I:H, A:H) drive the overall score. This is not critical (which would require network attack vector or low complexity), but it is unquestionably high-risk for endpoint and server portfolios.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The attack vector is local (AV:L), meaning the attacker must have direct access to the compromised system. However, if a system is already breached via remote code execution or lateral movement, this vulnerability becomes a path to privilege escalation.
Do I need user interaction for an attacker to exploit this?
No. The vulnerability requires local user privileges but does not require the user to click a link, open a file, or perform any action. The attack unfolds silently once a malicious file is placed in the target directory.
Is this being actively exploited in the wild?
As of the current publication, this vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog. However, the absence of public knowledge should not be mistaken for non-exploitability. Organizations should still treat it as a priority given its severity and the technical feasibility of exploitation.
Which Windows versions are most critical to patch first?
Windows Server 2025, 2022, and 2019 should be prioritized, followed by Windows 11 versions used in high-value roles. Windows 10 versions remain in support and should be updated according to your standard patch schedule, particularly systems in administrative or sensitive roles.
This analysis is provided for informational purposes to support security decision-making. Patch version numbers and availability dates must be verified against official Microsoft security advisories and the Microsoft Update Catalog. The absence of a CVE from the Known Exploited Vulnerabilities list does not guarantee the absence of active exploitation. Organizations should conduct their own risk assessment and testing before deploying patches to production systems. This vulnerability intelligence is accurate as of the publication date but may be updated as new information emerges. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-48565HIGHWindows Narrator Braille Privilege Escalation Vulnerability
- CVE-2026-11400HIGHAWS Advanced JDBC Wrapper Privilege Escalation in Aurora PostgreSQL
- CVE-2026-11401HIGHAurora PostgreSQL Privilege Escalation via Untrusted Search Path in AWS Advanced Go Wrapper
- CVE-2026-24064HIGHWaves Central macOS Privilege Escalation (CVSS 7.8)
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis