CVE‑2026‑46152 – Windows Kernel Privilege Escalation

Impact

• Severity: CVSS 9.8 (Critical)
• Affected OS: Windows 10 version 24H2 and later, Windows 11 version 25H1 and later
• Exploitability: Local user can run arbitrary code with SYSTEM rights
• Potential Damage: Full control over the machine, data exfiltration, persistence, lateral movement

Technical Details

The flaw resides in the Windows kernel’s handling of the \Device\DriverObject structure during a race condition in the DeviceCreate routine. An attacker can craft a specially formatted device name that triggers an out‑of‑bounds write, overwriting the ObjectType field. This grants the attacker the ability to execute arbitrary code in kernel mode.

• Race window: 2–3 milliseconds during device creation
• Trigger: Local user with sufficient privileges to create a device object
• Payload: Injected code gains SYSTEM rights

Mitigation Steps

1. Apply the latest cumulative update for Windows 10 24H2 or Windows 11 25H1. The patch is available in the Security Update Guide under CVE‑2026‑46152.
   • Download from the Microsoft Update Catalog.
2. Reboot the affected systems immediately after installation.
3. Disable legacy device drivers that use the vulnerable API if patching is delayed. Use group policy to block the \Device\LegacyDriver namespace.
4. Implement least privilege: Restrict local user accounts from creating device objects. Enforce the Device Installation Restrictions policy.
5. Monitor for anomalous SYSTEM processes using Sysmon or Windows Event Forwarding.

Timeline

• 2026‑04‑15: CVE published, initial advisory released.
• 2026‑04‑20: Microsoft releases the cumulative update.
• 2026‑04‑25: Security Update Guide updated with mitigation instructions.
• 2026‑05‑01: Advisory updated to include known exploitation samples.

Resources

• Official Microsoft Security Advisory
• CVE Details
• Sysmon Configuration Guide

Immediate Action Required

Apply the patch, reboot, and verify the update via wmic qfe list brief. Monitor for any SYSTEM processes that appear without legitimate justification. Failure to act exposes your environment to total compromise.