CVE-2026-45636: Windows NTFS Remote Code Execution Vulnerability
Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
Heap-based buffer overflow in the Windows NTFS driver allows a local attacker to execute arbitrary code on affected Windows 10 and Windows 11 systems. The vulnerability is reached locally and requires no prior authentication, but the attacker must convince a user to open a specially crafted file or interact with a malicious NTFS volume. Successful exploitation gives the attacker full read, write, and execution control over the affected system. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows-based container images.
HarborGuard Coverage
Detection of CVE-2026-45636 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using feeds from Microsoft and upstream NVD sources, covering both base images and custom-built images that include affected Windows NTFS components. HarborGuard's pipeline is capable of identifying all affected Windows 10 and Windows 11 version ranges listed in the advisory.
AvailableTriage is available with the full CVSS v3.1 score of 7.8 (HIGH) applied to each matched image, weighted against per-environment compliance policies to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and corresponding Windows 11 versions) is available on HarborGuard for environments running affected images. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationNot required
No prior account or credential is needed to attempt exploitation (PR:N).
- Victim interactionRequired
A local user must interact with a malicious file or NTFS volume, such as opening a crafted disk image, making this a social-engineering-dependent attack (UI:R).
- Attack complexityDetail
Exploit reliability is high; no race conditions or special environmental conditions are required to trigger the overflow (AC:L).
Blast Radius
- A successful attacker executes arbitrary code in the context of the affected process, gaining the ability to run any program or command on the host.
- Confidentiality is fully compromised: the attacker reads any file, credential, or secret accessible on the local filesystem, including stored tokens and application data.
- Integrity is fully compromised: the attacker writes or modifies files, registry entries, and persisted application state on the host.
- Availability is fully compromised: the attacker crashes the NTFS driver or the host system, or uses code execution to disrupt or destroy running services.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-45636 is active against all scanned images, with results surfaced within minutes of CVE publication. For environments running affected Windows 10 or Windows 11 base images, a patched-image rebuild targeting the appropriate fix version is available. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image, execute a regression run, and open a pull request against affected workloads automatically; for high-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. For teams managing these images manually, HarborGuard surfaces the specific fix version required per affected image in the finding detail, so engineers can target the correct update without additional research.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C