CVE-2026-47648: Windows Storage Elevation of Privilege Vulnerability
Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.0
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
An untrusted search path vulnerability in the Windows Storage component allows a locally authenticated attacker to elevate privileges on affected Windows 10 and Windows 11 systems. The attacker needs an existing low-privilege account and local access; no network exposure is required. Successful exploitation gives the attacker full control over the host, including read, write, and availability impact at the system level. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that derive from affected Windows base layers. Any image whose base OS version falls within the affected ranges is flagged automatically.
AvailableHarborGuard scores this CVE at 7.0 HIGH (CVSS v3.1) and can weight that score against each customer org's per-environment compliance policy to determine priority and severity tier. Triage results are routed to the appropriate team inbox inside each customer organization based on configured policy rules.
AvailablePatched-image rebuilds at the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.22631.7219, 10.0.26100.8655, 10.0.26200.8655) are available on HarborGuard for environments running affected Windows base images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials to begin the attack.
- Victim interactionNot required
No user interaction is needed; the attacker can execute the exploit entirely without involvement from another user.
- Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must meet specific environmental conditions or timing constraints, such as race conditions or a particular process state, before the exploit succeeds reliably.
Blast Radius
- A successful attacker reads protected files, credentials, and other high-confidentiality data stored on the local system.
- The attacker writes to or modifies protected system files and persisted data, including registry keys and storage-layer objects.
- The attacker can crash or render unavailable the affected storage subsystem or dependent services on the host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-47648 is active across all customer environments, matching images built on affected Windows 10 and Windows 11 base layers against the published vulnerable version ranges. For environments where affected base images are present, patched rebuilds at the upstream fix versions are available. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in those environments. Customers who manage their own patch cadence can use HarborGuard's triage output to prioritize the affected images and apply the appropriate Windows update package to reach the patched OS build.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C