HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48583Published Modified CNA microsoft

CVE-2026-48583: Windows Kernel Elevation of Privilege Vulnerability

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.14393.9234
Affected Products
16

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Windows Kernel allows a locally authenticated attacker to elevate their privileges on the affected host. The attacker needs only a low-privilege account and local access; no network exposure or victim interaction is required. Successful exploitation gives the attacker full control over the host, covering confidentiality, integrity, and availability. A patched-image rebuild at the fixed Windows versions is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-48583 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built Windows-based container images. Coverage extends to all affected Windows 10 and Windows 11 version ranges listed in the advisory.

Available
Triage

Triage is available with the CVSS v3.1 score of 7.8 (HIGH) applied automatically, weighted against each customer organization's compliance policy to determine urgency and routing. The resulting finding is routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at the applicable fixed versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and their Windows 11 equivalents) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative credentials are needed to trigger the vulnerability.

  • Victim interactionNot required

    The attacker can execute the exploit entirely on their own; no action from another user is needed.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or special memory-layout requirements to satisfy.

Blast Radius

  • Reads arbitrary kernel memory, exposing credential material, session tokens, and other privileged process data.
  • Modifies kernel data structures, allowing the attacker to rewrite security policy, disable audit logging, or alter running process contexts.
  • Crashes or destabilizes the kernel, causing a full system outage on the affected host.
  • Achieves full SYSTEM-level code execution, giving the attacker unrestricted control over the host and all workloads running on it.

How HarborGuard Handles This

Available on HarborGuard: detection for this use-after-free is active against all Windows-based container images in customer registries and CI pipelines, matched within minutes of the CVE's publication. Patched-image rebuilds at the fixed versions are available for any environment found running an affected Windows 10 or Windows 11 release. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the patched version, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy restricts auto-remediation, the finding is surfaced in the customer's triage queue with the CVSS 7.8 HIGH score and affected image list attached for manual review.

See how HarborGuard automates this

Fix available

10.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1607
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References