Windows Secure Kernel Double-Free Flaw Enables Privilege Escalation
Microsoft disclosed and patched CVE-2026-26179, a Windows Secure Kernel elevation-of-privilege vulnerability caused by a double-free condition. The flaw, also tracked as ZDI-26-276, stems from improper validation of an object’s existence before additional free operations occur, creating a path for a local attacker to escalate privileges on affected Windows systems.
According to Zero Day Initiative, successful exploitation requires an attacker to already be able to execute high-privileged code on the target, after which arbitrary code execution may be possible in the context of the VTL1 Secure Kernel. The issue was assigned a CVSS 7.5 score, credited to researcher fastfail, reported to Microsoft in December 2025, and addressed through a Microsoft security update.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-26179 is publicly disclosed
Zero Day Initiative publicly disclosed CVE-2026-26179 / ZDI-26-276, describing it as a Microsoft Windows Secure Kernel double free vulnerability that could allow local privilege escalation to VTL1 Secure Kernel context.
Microsoft releases fix for CVE-2026-26179
Microsoft published a Security Update Guide entry for CVE-2026-26179, a Windows Kernel Elevation of Privilege vulnerability, indicating an update was made available to remediate the issue.
Researcher reports Windows Secure Kernel flaw to Microsoft
Security researcher fastfail reported a Microsoft Windows Secure Kernel double free vulnerability, later tracked as CVE-2026-26179 and ZDI-26-276, to Microsoft through coordinated disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ZDI-26-276 | Zero Day Initiative
zerodayinitiative.com
Open sourceCVE-2026-26179 - Security Update Guide - Microsoft - Windows Kernel Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-26179 - Security Update Guide - Microsoft - Windows Kernel Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Windows Kernel Privilege Escalation Vulnerability CVE-2025-62215
Microsoft has disclosed a critical elevation-of-privilege vulnerability in the Windows Kernel, tracked as CVE-2025-62215, which is being actively exploited in the wild. The flaw arises from a race condition and improper memory management, specifically a double-free scenario, allowing local attackers to escalate privileges to SYSTEM level. Exploitation requires an attacker to already have access to the system, but no user interaction is needed, and the attack can be automated. Microsoft has rated the vulnerability as Important, with a CVSS score of 7.0, and notes that all supported Windows 10 editions are affected, including those under Extended Security Updates (ESU). No workaround is available other than applying the official update, and immediate patching is strongly recommended. The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-415 (Double Free), making it a classic post-compromise privilege escalation vector. Attackers can exploit the timing-sensitive memory corruption path in the kernel to gain elevated access, disable security defenses, and move laterally within networks. The attack surface is particularly concerning in enterprise environments where multiple users share access, as any authenticated user can potentially trigger the exploit. Security experts warn that both targeted threat actors and ransomware operators may leverage this flaw to deepen their foothold after initial access, emphasizing the urgency of deploying the security update across all affected systems.
Mar 21, 2026
Windows Kernel Elevation of Privilege Vulnerability (CVE-2026-26132)
Microsoft published details for **CVE-2026-26132**, an **Important** severity **Windows Kernel** *elevation of privilege* vulnerability caused by **CWE-416 (use-after-free)**. The issue is scored **CVSS 3.1: 7.8** with vector `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, indicating exploitation requires **local access** and **low complexity**, with **low privileges required** and **no user interaction**, and could result in high impact to confidentiality, integrity, and availability. Microsoft’s Security Update Guide entry provides standard machine-consumable references (e.g., *PowerShell*, *API*, and *CSAF* links) for tracking and patch management. No additional exploitation details, in-the-wild exploitation confirmation, or public proof-of-concept information is included in the provided material beyond the vulnerability classification and scoring.
Mar 21, 2026
Microsoft Patches Multiple Windows Use-After-Free Privilege Escalation Flaws
Microsoft released fixes for several **Windows elevation-of-privilege vulnerabilities** affecting **Win32k**, **Windows Telephony Service**, **Desktop Window Manager**, and the **Windows Cloud Files Mini Filter Driver**. The disclosed flaws include `CVE-2026-34347`, `CVE-2026-42825`, `CVE-2026-27923`, and `CVE-2026-35418`, and are all tied to **use-after-free** conditions, with some cases also involving race conditions such as time-of-check time-of-use behavior. Microsoft said successful exploitation could let a locally authenticated attacker with low privileges gain **SYSTEM** access without user interaction. The vulnerabilities were rated **Important** with **CVSS 3.1 scores ranging from 7.0 to 7.8**, and Microsoft assessed exploitation as **less likely or unlikely** because several attacks require winning a race condition. At the time of disclosure, Microsoft reported **no public disclosure and no evidence of active exploitation** for the documented 2026 flaws, and stated that official security updates were available. Additional Microsoft advisories also reference related Windows and Microsoft Brokering File System elevation-of-privilege issues, including `CVE-2026-24285`, `CVE-2025-32712`, `CVE-2025-21372`, `CVE-2025-21315`, and `CVE-2025-59189`, though public technical details for those entries were limited.
May 25, 2026