CVE-2026-45653: Windows Kernel Elevation of Privilege Vulnerability
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.0
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Windows Kernel allows a local attacker with a low-privilege account to elevate their privileges on affected Windows 10 and Windows 11 systems. The flaw is reached locally, meaning the attacker must already have an existing shell or process on the host, and exploitation requires navigating a race condition or favorable memory layout. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the system. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows-based container images.
HarborGuard Coverage
Detection of CVE-2026-45653 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built Windows-based container images, not just images pulled directly from upstream sources.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.0 (HIGH) and weighting findings against each customer organization's compliance policy to determine urgency. Triage routing directs findings to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableA patched-image rebuild at the applicable fix version (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, or later depending on the affected build) becomes available on HarborGuard once the upstream update is ingested. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; no administrative credentials are needed to attempt exploitation.
- Victim interactionNot required
No user interaction is required; the attacker can trigger the vulnerability entirely through their own process.
- Attack complexityDetail
Exploitation is not straightforward and depends on winning a race condition or achieving a specific memory layout, making reliable exploitation harder.
Blast Radius
- Reads protected kernel memory, including credentials, tokens, and sensitive process data belonging to other users or the system.
- Modifies kernel data structures or other processes' memory, enabling persistent changes to system state or privilege grants.
- Crashes the affected system or kernel components, causing a denial of service for all users and workloads on the host.
- Breaks out of lower-privilege process boundaries, allowing full control over the underlying Windows host.
How HarborGuard Handles This
Available on HarborGuard: scanning for CVE-2026-45653 runs against all customer images containing affected Windows kernel versions as soon as the CVE enters the upstream feed. Where compliance policy permits, auto-remediation customers receive a rebuilt image at the patched version, a regression-test run, and a PR opened against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who have not opted into auto-remediation, HarborGuard surfaces the specific affected build version alongside the applicable fix version so engineers can prioritize the update manually. As a compensating control while patching is underway, restricting interactive shell access and limiting local logon rights via network policy reduces the window of opportunity for an attacker to leverage this local privilege escalation.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C