HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44809Published Modified CNA microsoft

CVE-2026-44809: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.26100.8655
Affected Products
5

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Windows Common Log File System (CLFS) Driver allows a locally authenticated attacker to elevate privileges on affected Windows 11 and Windows Server 2025 systems. The attacker requires only a low-privilege local account and no interaction from any other user. Successful exploitation gives the attacker full control over the affected system, including read, write, and availability impact at high severity. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows builds.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Windows-based container images, to surface any affected OS components. Coverage extends to images in both connected registries and active CI/CD pipelines.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 (HIGH) and applies per-environment compliance policy weighting to prioritize routing, ensuring it reaches the appropriate team inbox within each customer organization. Triage context includes the affected Windows build ranges and the local-privilege-escalation impact class to help teams assess exposure quickly.

Available
Patch

Patched-image rebuilds at fix versions 10.0.26100.8655, 10.0.26100.32995, 10.0.26200.8655, and 10.0.28000.2269 are available on HarborGuard for environments running an affected build. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative rights to trigger the vulnerability.

  • Victim interactionNot required

    No action from any other user or victim is required for the exploit to succeed.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

  • A successful attacker reads protected files, credentials, and other high-confidentiality data stored on the host.
  • The attacker writes or modifies kernel-level and user-space data, including security policy and audit records managed by the CLFS driver.
  • The attacker gains the ability to crash or disable system services, including the host OS itself, causing a denial-of-service condition.
  • Full privilege escalation to SYSTEM-level access is achievable, giving the attacker unrestricted control over the compromised Windows host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44809 is active across all customer environments, matching against Windows 11 and Windows Server 2025 base images and any custom images layered on top of them. Patched rebuilds at the fixed build numbers are available for affected image variants. For customers who opt into auto-remediation, HarborGuard handles the full flow: rebuilding the image at the patched version, running regression tests, and opening a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy restricts automated changes, the rebuilt image and a prioritized finding card are surfaced in the dashboard for manual review. Teams without an immediate upgrade path should consider network-policy isolation of hosts running affected builds and restricting local interactive logon to reduce the pool of accounts that could trigger the use-after-free condition.

See how HarborGuard automates this

Fix available

10.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References