HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45640Published Modified CNA microsoft

CVE-2026-45640: Windows Bluetooth Port Driver Elevation of Privilege Vulnerability

Use after free in Windows Bluetooth Port Driver allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
10.0.19044.7417
Affected Products
10

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Windows Bluetooth Port Driver, affecting Windows 10, Windows 11 (multiple versions), and Windows Server 2022. Exploitation requires an attacker to already have a low-privilege account on the target machine and to win a race condition or satisfy specific memory-layout requirements; no network access or victim interaction is needed. Successful exploitation grants the attacker full elevated privileges on the local system. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that layer on affected Windows base images.

Available
Triage

HarborGuard scores this CVE at CVSS 7.0 (HIGH) and is capable of weighting that score against each environment's compliance policy to surface it with the correct priority. Triage routing can direct alerts to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Patched-image rebuilds at versions 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, 10.0.22631.7219, and 10.0.26100.8655 (and their corresponding releases) are available on HarborGuard for affected base images. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative credentials are needed to attempt exploitation.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker operates entirely without victim participation.

  • Attack complexityDetail

    Exploitation involves high complexity, requiring the attacker to win a race condition or satisfy specific memory-layout conditions before the vulnerability can be triggered reliably.

Blast Radius

  • Reads sensitive data accessible to the process or user context elevated to, including credentials or secrets stored on the host.
  • Modifies system files, registry keys, or other persisted resources protected by privilege boundaries.
  • Terminates or disrupts system services and processes that the original low-privilege account could not ordinarily touch.
  • Establishes a foothold with elevated permissions that can be used to pivot to further compromise of the host or connected systems.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE activates within minutes of ingestion for any customer image built on an affected Windows base layer. For environments running Windows 10 21H2, 22H2, Windows 11 23H2/24H2/25H2/26H1, or Windows Server 2022 at versions below the listed fix thresholds, a patched-image rebuild becomes available as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild at the fix version, execute a regression-test run, and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual review, HarborGuard routes the finding to the configured owner inbox with full CVSS context attached. Because exploitation requires only a low-privilege local account, any image used as a base for workloads with shared or multi-tenant user access should be treated as a priority upgrade target.

See how HarborGuard automates this

Fix available

10.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References