CVE-2026-45605: Windows Bluetooth Service Elevation of Privilege Vulnerability
Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 10.0.14393.9234
- Affected Products
- 16
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Windows Bluetooth Service allows a locally authenticated attacker to elevate privileges on affected Windows 10 and Windows 11 systems. The bug is reachable from a low-privilege user account without any network access, and exploitation requires no victim interaction. Successful exploitation grants the attacker full control over the affected host, including reading sensitive data, modifying system state, and crashing or disrupting services. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection for CVE-2026-45605 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that derive from affected Windows base layers. Any image whose Windows build version falls within the affected ranges is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.8 HIGH and weights it further against each customer environment's compliance policy, surfacing findings at the severity level that policy dictates. Triage routing directs the finding to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, and the corresponding Windows 11 builds) is available on HarborGuard for any environment running an affected image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials before exploiting the vulnerability.
- Victim interactionNot required
No user interaction of any kind is needed; the attacker can trigger the use-after-free entirely from their own process.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- A successful attacker reads high-confidentiality data from the affected host, including credentials, tokens, and other sensitive process memory.
- The attacker modifies system files, registry keys, or other persisted state with full write access at an elevated privilege level.
- The attacker crashes or disrupts the affected service or the broader operating system, causing denial of service on that host.
- Because privilege is fully elevated, the attacker can install persistent backdoors or pivot to other resources accessible from the compromised host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-45605 is active for all images derived from affected Windows 10 and Windows 11 base layers, matched within minutes of CVE publication. Patched rebuilds at the fix versions listed in the advisory are available for affected images. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched base version, runs a regression test suite, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage their own patch cadence can review flagged images in the HarborGuard dashboard and apply the rebuild on demand. Where compliance policy requires manual approval before remediation, findings are routed to the designated approver inbox with full CVSS context attached.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C