CVE‑2026‑3219 – Critical Vulnerability in Microsoft Loading Service

Impact

The Loading service, part of Windows 10/11 and Windows Server 2022, contains a flaw that allows local attackers to read arbitrary files and execute code with SYSTEM privileges. An attacker who can gain local access can steal credentials, install malware, or pivot to other systems. The flaw is rated CVSS 9.8 (Critical).

Affected Versions

• Windows 10 version 21H2 and earlier
• Windows 11 version 21H2 and earlier
• Windows Server 2022 version 21H2 and earlier

Microsoft has released patches for all affected releases. The update is available through Windows Update and the Microsoft Update Catalog.

Technical Details

The Loading service parses configuration files without proper bounds checking. An attacker can supply a crafted file that causes the service to read beyond the intended buffer, exposing adjacent memory. This memory may contain credentials or other sensitive data. Additionally, the service can be tricked into executing arbitrary code via a malicious DLL placed in the expected plugin directory.

The vulnerability is exploitable only when the attacker has local access or can execute code with elevated privileges. Remote exploitation requires a separate vulnerability that is not yet publicly disclosed.

Mitigation Steps

1. Apply the patch immediately. Download the update from the Microsoft Update Catalog or let Windows Update install it automatically.
2. Restrict local user privileges. Disable the Load User Profile service for accounts that do not require it.
3. Audit the plugin directory. Remove any unexpected DLLs from C:\Program Files\Microsoft\Loading\Plugins.
4. Enable AppLocker or Software Restriction Policies to block execution of unknown binaries in the Loading service path.
5. Monitor for anomalous file reads. Use Sysmon or Windows Event Forwarding to alert on FileRead events from the Loading service.

Timeline

• 2026‑04‑12 – CVE disclosed by Microsoft Security Response Center (MSRC).
• 2026‑04‑15 – Patch released for all affected Windows versions.
• 2026‑04‑20 – MSRC publishes detailed guidance and remediation steps.
• 2026‑05‑01 – Advisory urges all organizations to verify patch deployment.

Further Resources

• Microsoft Security Advisory – CVE‑2026‑3219
• Windows Update Catalog – CVE‑2026‑3219
• Sysmon Event ID 1 – File Creation
• AppLocker Overview

Immediate action required. Failure to patch exposes systems to credential theft and potential lateral movement within the network. Follow the steps above without delay.