Microsoft Patches Multiple Windows Use-After-Free Privilege Escalation Flaws
Microsoft released fixes for several Windows elevation-of-privilege vulnerabilities affecting Win32k, Windows Telephony Service, Desktop Window Manager, and the Windows Cloud Files Mini Filter Driver. The disclosed flaws include CVE-2026-34347, CVE-2026-42825, CVE-2026-27923, and CVE-2026-35418, and are all tied to use-after-free conditions, with some cases also involving race conditions such as time-of-check time-of-use behavior. Microsoft said successful exploitation could let a locally authenticated attacker with low privileges gain SYSTEM access without user interaction.
The vulnerabilities were rated Important with CVSS 3.1 scores ranging from 7.0 to 7.8, and Microsoft assessed exploitation as less likely or unlikely because several attacks require winning a race condition. At the time of disclosure, Microsoft reported no public disclosure and no evidence of active exploitation for the documented 2026 flaws, and stated that official security updates were available. Additional Microsoft advisories also reference related Windows and Microsoft Brokering File System elevation-of-privilege issues, including CVE-2026-24285, CVE-2025-32712, CVE-2025-21372, CVE-2025-21315, and CVE-2025-59189, though public technical details for those entries were limited.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2026-42825 Telephony Service flaw
Microsoft disclosed CVE-2026-42825, an Important Windows Telephony Service elevation-of-privilege vulnerability caused by a use-after-free flaw. The advisory states exploitation would require winning a race condition to obtain SYSTEM privileges, with no public disclosure or in-the-wild exploitation reported and an official fix released.
Microsoft discloses CVE-2026-35418 Cloud Files Mini Filter Driver flaw
Microsoft disclosed CVE-2026-35418, an Important elevation-of-privilege vulnerability in the Windows Cloud Files Mini Filter Driver involving a use-after-free and TOCTOU race condition. Microsoft said the flaw could let a locally authorized low-privilege attacker elevate to SYSTEM, was not publicly disclosed or exploited in the wild, and was fixed at publication.
Microsoft discloses CVE-2026-34337 Cloud Files Mini Filter Driver flaw
Microsoft disclosed CVE-2026-34337, an Important elevation-of-privilege vulnerability in the Windows Cloud Files Mini Filter Driver caused by a use-after-free condition and race condition weakness. The advisory said a locally authenticated low-privilege attacker could elevate to SYSTEM without user interaction, with no public disclosure or active exploitation reported and an official fix available at publication.
Microsoft discloses CVE-2026-34347 Win32k-GRFX flaw
Microsoft disclosed CVE-2026-34347, an Important Windows Win32k elevation-of-privilege vulnerability caused by a use-after-free flaw in Win32K-GRFX. The company said a locally authenticated low-privilege attacker could potentially gain SYSTEM privileges by winning a race condition, with no public disclosure or active exploitation reported and a fix available.
Microsoft discloses CVE-2026-27924 Desktop Window Manager flaw
Microsoft published a Security Update Guide entry for CVE-2026-27924, a Desktop Window Manager elevation-of-privilege vulnerability. Although no synopsis is provided in the reference, the publication indicates formal disclosure through Microsoft's advisory process with a security update available.
Microsoft discloses CVE-2026-27923 Desktop Window Manager flaw
Microsoft disclosed CVE-2026-27923, an Important Desktop Window Manager elevation-of-privilege vulnerability caused by a use-after-free weakness. The company said exploitation was not publicly disclosed or observed in the wild, assessed exploitation as less likely, and released an official fix.
Microsoft discloses CVE-2026-24285 Win32k EoP flaw
Microsoft added CVE-2026-24285 to the Security Update Guide as a Win32k elevation-of-privilege vulnerability. Although no synopsis is provided in the reference, the publication indicates formal disclosure and patch availability through Microsoft's update process.
Microsoft discloses CVE-2025-59189 and releases a fix
Microsoft published advisory information for CVE-2025-59189, a Microsoft Brokering File System elevation-of-privilege vulnerability. The Security Update Guide entry indicates disclosure and patch availability on the publication date.
Microsoft discloses CVE-2025-32712 Win32k EoP flaw
Microsoft published a Security Update Guide entry for CVE-2025-32712, a Win32k elevation-of-privilege vulnerability. While the reference provides no synopsis, the publication reflects formal disclosure through Microsoft's advisory process with a security update release.
Microsoft discloses CVE-2025-21372 and releases a fix
Microsoft published advisory information for CVE-2025-21372, another Microsoft Brokering File System elevation-of-privilege vulnerability. The Security Update Guide entry shows the issue was disclosed with a corresponding fix available on the publication date.
Microsoft discloses CVE-2025-21315 and releases a fix
On Patch Tuesday, Microsoft published guidance for CVE-2025-21315, a Microsoft Brokering File System elevation-of-privilege vulnerability. The reference indicates an official security update was made available at publication.
Sources
11 references tracked. Mallory keeps watching after this page renders.
CVE-2026-42825 - Security Update Guide - Microsoft - Windows Telephony Service Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-35418 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-34347 - Security Update Guide - Microsoft - Windows Win32k Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-34337 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-59189 - Security Update Guide - Microsoft - Microsoft Brokering File System Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-32712 - Security Update Guide - Microsoft - Win32k Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-21315 - Security Update Guide - Microsoft - Microsoft Brokering File System Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-21372 - Security Update Guide - Microsoft - Microsoft Brokering File System Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Windows Cloud Files Mini Filter Driver Privilege Escalation Flaws
Microsoft disclosed **CVE-2025-62221** and **CVE-2025-62454**, two elevation-of-privilege vulnerabilities in the **Windows Cloud Files Mini Filter Driver**, and released security updates to address them. The company identified **CVE-2025-62221** as an **Important** flaw caused by a **use-after-free** condition (`CWE-416`) that could allow a local attacker with low privileges to gain **SYSTEM** privileges without user interaction. Microsoft assigned **CVE-2025-62221** a **CVSS v3.1 score of 7.8** and said exploitation had been detected **in the wild** at the time of disclosure, although the vulnerability had not been publicly disclosed beforehand. Advisory listings for **CVE-2025-62454** also classify it as a Windows Cloud Files Mini Filter Driver elevation-of-privilege issue, indicating multiple privilege-escalation weaknesses in the same Windows component were addressed in the release.
Jun 3, 2026
Microsoft discloses multiple Windows elevation-of-privilege flaws across kernel and core components
Microsoft published security advisories for a series of **Windows elevation-of-privilege** vulnerabilities affecting the **Windows Kernel**, **File Explorer**, **Windows Management Service**, **Windows UI XAML Phone DatePickerFlyout**, **Windows Graphics Component**, **Windows Storage**, and the **DirectX Graphics Kernel**. The referenced flaws include `CVE-2026-26132`, `CVE-2025-62565`, `CVE-2025-54103`, `CVE-2025-54111`, `CVE-2025-55693`, `CVE-2024-38249`, `CVE-2025-62573`, `CVE-2024-38248`, and `CVE-2025-55678`. The disclosures indicate a broad patching effort spanning core operating system subsystems and user-facing Windows components, with repeated exposure in privileged areas such as the kernel and graphics stack. For defenders, the concentration of elevation-of-privilege issues across these components raises the risk that attackers could chain local access or code execution with privilege escalation to gain **SYSTEM-level** or otherwise expanded rights on affected Windows systems, making prompt validation and deployment of Microsoft updates a priority.
May 25, 2026
Microsoft Patches Multiple Windows Elevation-of-Privilege Flaws Across Core Services
Microsoft published security updates for a series of Windows elevation-of-privilege vulnerabilities affecting components including **Core Messaging**, **CSC Service**, **Cryptographic Services**, **Win32k**, and the **COM+ Event System Service**. The referenced flaws include `CVE-2025-21378`, `CVE-2025-21184`, `CVE-2025-21414`, `CVE-2025-26634`, `CVE-2025-49727`, `CVE-2025-58725`, and `CVE-2025-62458`, indicating a broad set of local privilege-escalation issues across core Windows subsystems. Among them, Microsoft provided additional detail for `CVE-2026-40377`, an **Important** vulnerability in Microsoft Cryptographic Services caused by a heap-based buffer overflow. Microsoft said a locally authorized attacker with low privileges could exploit the flaw to gain **SYSTEM** privileges without user interaction; the issue received a **CVSS 3.1 score of 7.8**, was assessed as **less likely** to be exploited, and was **not publicly disclosed or exploited** at the time of publication. Microsoft said a fix was available and credited **Bruce Dang of Calif.io** for reporting the bug.
May 25, 2026