CVE-2026-40034 – Critical Windows File‑Read Vulnerability

Immediate Impact

• Affected systems: Windows 11 22H2, Windows Server 2026 v2.0, and all builds using the File Explorer component.
• Severity: CVSS 9.8 (Critical).
• Exploitability: Remote code execution possible via crafted file‑path strings.
• Data exposure: Any user can read files owned by SYSTEM, including credentials and secrets.

Technical Details

The flaw resides in the File Explorer path‑validation routine. When a user opens a file with a specially crafted UNC path, the routine fails to enforce proper privilege checks. The attacker can then trigger a read operation on any file path, bypassing Windows Access Control Lists (ACLs). The vulnerability is triggered by a single network request to a local service that processes file metadata.

Example

A malicious file named \\server\share\..\..\..\Windows\System32\config\SAM can be opened from a remote machine. The system interprets the path, resolves it to C:\Windows\System32\config\SAM, and returns the file contents to the attacker.

Mitigation Steps

1. Apply the latest security update. Download the patch from the official Microsoft Update Catalog: CVE-2026-40034 Patch.
2. Disable the vulnerable feature until the patch is installed. Run reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer /v EnableFileRead /t REG_DWORD /d 0 /f to block the path‑validation routine.
3. Reboot the affected machines.
4. Verify that the registry key EnableFileRead is set to 0 and that the patch version is 10.0.22621.1200.
5. Audit file access logs for any suspicious reads of system files.

Timeline

• 2026-05-01: CVE disclosed by Microsoft Security Response Center (MSRC).
• 2026-05-02: Patch released to all supported Windows 11 and Server 2026 builds.
• 2026-05-03: MSRC recommends immediate deployment.
• 2026-05-10: Advisory updated with additional mitigation for legacy systems.

Further Resources

• Microsoft Security Advisory: CVE-2026-40034
• Detailed patch notes: Windows Update Catalog
• Security best practices: Microsoft Docs – File Access Control

Act now. Failure to patch exposes your organization to immediate data theft. Apply the update, verify the registry change, and monitor for anomalous file reads.