CVE-2026-40409: Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
This is a local privilege escalation vulnerability in the Windows Universal Disk Format File System Driver (UDFS), a kernel-mode component that handles UDF-formatted optical media and disk images. The attacker must already have a local shell or process on the target host but does not need administrator rights; a standard low-privilege account is sufficient to trigger the flaw. Successful exploitation gives the attacker full control of the affected system, covering confidentiality, integrity, and availability. A patched-image rebuild at the applicable fix versions is available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in both registries and active CI/CD pipelines, including custom-built Windows-based container images. Any image whose base OS layer falls within the affected version ranges is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.8 (HIGH) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org's alert queue. Routing to the correct team inbox is available based on each customer's configured ownership and policy rules.
AvailableA patched-image rebuild at the applicable fix versions (for example 10.0.14393.9234 for Windows 10 1607, 10.0.17763.8880 for 1809, and 10.0.19044.7417 for 21H2/22H2) is available on HarborGuard for environments running affected base images. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure of the vulnerable component is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to attempt exploitation; no administrator or elevated credentials are needed.
- Victim interactionNot required
No action from another user or victim is needed; the attacker can trigger the vulnerability entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or other environmental dependencies.
Blast Radius
- A successful attacker gains kernel-level code execution and can read any file or credential material on the host, including secrets accessible only to SYSTEM.
- The attacker can modify, delete, or overwrite any file and system configuration on the host, including security policy and audit logs.
- The attacker can crash, halt, or destabilize the operating system and any services running on it.
- Container workloads sharing the host kernel are exposed if the underlying Windows host OS is compromised at this level.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of ingestion for any customer image whose Windows base OS layer falls in the affected version ranges. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at the appropriate fix version, run a regression test run, and open a pull request against the affected workload, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and diff are queued and surfaced for one-click promotion. Because the CVSS exploit-code-maturity token is Unproven (E:U), immediate patching remains the primary control; network-policy isolation at the container level provides limited compensating control since exploitation is local, not remote.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C