CVE-2026-48565: Windows Narrator Braille Elevation of Privilege Vulnerability
Untrusted search path in Windows Narrator Braille allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An untrusted search path vulnerability in Windows Narrator Braille allows a local attacker to escalate their privileges on the affected system. The attack is launched locally and requires only a low-privilege account; no network access or victim interaction is needed. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability on the host. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Microsoft publishes a fix.
HarborGuard Coverage
Detection for CVE-2026-48565 is available across every HarborGuard environment, with ingestion from upstream feeds (NVD, Microsoft MSRC, and vendor advisories) occurring within minutes of publication and matched against images in customer registries and CI/CD pipelines. Coverage extends to custom-built images that bundle Windows Narrator Braille components, not just base images pulled from public registries.
AvailableTriage is available with CVSS v3.1 scoring at 7.8 (HIGH), weighted against each customer environment's compliance policy to reflect actual exposure context. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published by Microsoft, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative credentials.
- Victim interactionNot required
No user action such as clicking a link or opening a file is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.
Blast Radius
- A successful attacker reads protected files, credentials, or secrets stored on the host that are inaccessible to their original low-privilege account.
- The attacker writes or modifies system files, registry entries, or persisted configuration, enabling persistent backdoors or tampering with security controls.
- The attacker can crash or terminate system processes, causing service disruption on the affected host.
- Full privilege escalation to a higher-privileged context means any subsequent action on the host, including lateral movement setup, is within reach.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists yet, HarborGuard monitors the Microsoft MSRC advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is published. In the meantime, customers can apply compensating controls through HarborGuard policy: network-policy isolation to limit lateral movement from the affected host, egress filtering to reduce post-exploitation reach, and flagging any image that bundles Windows Narrator Braille for elevated review in the compliance queue. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will trigger without manual steps as soon as Microsoft ships a fix, with median time from CVE patch publication to merged PR for high-severity issues around 90 minutes in those environments.
- Microsoft / Windows Narrator Braille-
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C