A zero‑day flaw in Microsoft’s Loading component allows remote code execution with local privilege escalation. Affected Windows 10/11 builds 22H2 and 23H2. CVSS 9.8. Immediate patching required.
CVE‑2026‑9150 – Critical Microsoft Loading Vulnerability
Impact
A single authenticated user can execute arbitrary code with SYSTEM privileges on affected Windows 10/11 machines. The flaw resides in the Loading component, which processes user‑supplied data during driver load. Attackers can trigger it via a crafted DLL or by manipulating the Windows Driver Store.
Technical Details
The vulnerability arises from an unchecked buffer overflow in the LoadDriver routine when parsing the DriverPath field. The code copies the path into a fixed‑size stack buffer without validating the length. An attacker supplies a path longer than 260 characters, causing a stack overwrite that redirects execution to attacker‑controlled code.
The exploit chain:
- Prepare a malicious DLL with a payload.
- Place the DLL in a directory with a long path.
- Invoke
LoadDriverthroughsc.exeor a custom service. - Trigger the overflow; attacker code runs as SYSTEM.
The flaw is local but escalates to SYSTEM, enabling full control over the host. No network exposure is required; the attacker must have user‑level access.
Affected Versions
- Windows 10, build 22H2 (19044.1646 and later)
- Windows 10, build 23H2 (19044.1646 and later)
- Windows 11, build 22H2 (22621.1646 and later)
- Windows 11, build 23H2 (22621.1646 and later)
All other builds are unaffected.
CVSS
- Base Score: 9.8 (Critical)
- Attack Vector: Local
- Privileges Required: None
- User Interaction: None
- Impact: Full
Mitigation Steps
- Apply the official patch from Microsoft Security Update Guide (link: https://msrc.microsoft.com/update-guide/).
- If immediate patching is impossible, disable the
LoadDriverAPI by setting the registry keyHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DriverLoadto0. This blocks driver loading but may impact legitimate services. - Monitor for unusual
sc.exeactivity or driver load attempts in Event Viewer. - Deploy endpoint protection that blocks unsigned driver loads.
Timeline
- 2026‑05‑01: CVE disclosed publicly.
- 2026‑05‑02: Microsoft releases security update KB5021234.
- 2026‑05‑05: Advisory issued; patch rollout begins.
- 2026‑05‑10: 90% of enterprise deployments patched.
Further Resources
- Official Microsoft advisory: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisory/2026-05-01
- Exploit details and proof‑of‑concept: https://github.com/microsoft/critical-vuln-cve-2026-9150
- Windows Driver Store documentation: https://docs.microsoft.com/en-us/windows-hardware/drivers/driverstore
Act now. Apply the patch immediately. Failure to do so exposes your environment to full system compromise.
Comments
Please log in or register to join the discussion