Urgent: Windows 10/11 Privilege Escalation – CVE‑2026‑43493

Impact

A local attacker can gain SYSTEM rights on Windows 10 22H2, Windows 11 22H2, and Windows Server 2022. The flaw lives in the Windows kernel driver \Device\KernelDriver. Exploitation requires only a user‑mode program with standard privileges. Once executed, the attacker can install rootkits, exfiltrate data, and maintain persistence.

Technical Details

• CVE ID: CVE‑2026‑43493
• Affected products: Windows 10 22H2 (build 22621.1+), Windows 11 22H2 (build 22621.1+), Windows Server 2022 (build 20348.1+)
• CVSS v3.1 base score: 9.8 (Critical)
• Exploit vector: Local
• Attack complexity: Low
• Privileges required: None
• User interaction: None
• Affected component: Windows kernel driver \Device\KernelDriver
• Root cause: Improper bounds checking during buffer copy in the IoCreateDevice routine. An attacker can overflow the internal buffer, overwrite the DeviceObject pointer, and redirect execution to arbitrary code.

The vulnerability is triggered by a specially crafted file placed in the %SystemRoot%\System32\Drivers folder. When the driver loads, the overflow occurs during initialization, allowing the attacker to execute shellcode in kernel mode.

Mitigation Steps

1. Apply the cumulative update KB502XXXX released on 25 Oct 2026. Download from the Microsoft Update Catalog.
2. If automatic updates are disabled, run sfc /scannow followed by DISM /Online /Cleanup-Image /RestoreHealth to ensure the system is clean before installing the patch.
3. Verify the patch by checking the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Security\KB502XXXX for the presence of the update.
4. Restart the machine to complete the installation.
5. For servers with high availability, schedule a maintenance window to apply the update and reboot.

If you cannot apply the update immediately, isolate the affected systems from the network and monitor for suspicious activity. Use the Windows Defender Advanced Threat Protection (ATP) to detect anomalous process creation and kernel driver loading.

Timeline

• Discovery: 12 Oct 2026 – Microsoft Security Response Center (MSRC) identified the flaw during routine code review.
• Internal patching: 20 Oct 2026 – Security team fixed the buffer overflow.
• Public disclosure: 22 Oct 2026 – MSRC released advisory and CVE details.
• Patch release: 25 Oct 2026 – KB502XXXX made available through Windows Update and catalog.
• Mitigation deadline: 31 Oct 2026 – Microsoft recommends all affected systems be patched by this date to mitigate exploitation risk.

Additional Resources

• MSRC Advisory for CVE‑2026‑43493
• KB502XXXX Release Notes
• Windows Security Baseline – Privilege Escalation Guidance

Act now. Apply the patch, reboot, and verify the update. Failure to do so exposes your environment to immediate exploitation.