Introduction
A use after free vulnerability in the Windows Cloud Files Mini Filter Driver, disclosed as part of Microsoft's May 2026 Patch Tuesday, gives any low privilege local user a path to SYSTEM level access with no user interaction required. With Windows commanding over 31 percent of the North American operating system market and the affected driver (cldflt.sys) supporting cloud sync features like OneDrive and Windows 365, the exposure surface across enterprise environments is significant.
Technical Information
CVE-2026-33835 is rooted in a use after free condition (CWE-416) within the Windows Cloud Files Mini Filter Driver, specifically the cldflt.sys kernel mode component. Use after free vulnerabilities occur when a program continues to reference memory after it has been deallocated, allowing an attacker to manipulate the contents of that freed memory region to achieve arbitrary code execution or privilege escalation.
CVSS Metrics
The full CVSS 3.1 vector string is:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
| Metric | Value | Significance |
|---|---|---|
| Base Score | 7.8 | High severity local privilege escalation |
| Temporal Score | 6.8 | Reduced due to official fix availability |
| Attack Vector | Local | Requires local system access |
| Attack Complexity | Low | No special conditions needed |
| Privileges Required | Low | Standard user account sufficient |
| User Interaction | None | Exploitable solely at the attacker's discretion |
| Scope | Unchanged | Impact confined to the vulnerable component's authority |
| Confidentiality / Integrity / Availability | High / High / High | Full compromise of the local security boundary |
Attack Flow
The exploitation path for this vulnerability follows a pattern common to kernel mode use after free flaws:
-
Initial access: The attacker must first obtain local, low privilege access to a Windows system where the Cloud Files Mini Filter Driver is loaded. This driver is present on systems using cloud file synchronization features such as OneDrive or Windows 365.
-
Triggering the use after free: The attacker crafts specific I/O request patterns or IOCTL calls targeting the
cldflt.sysminifilter driver. These requests are designed to trigger a code path where a memory object is freed but a dangling reference to that object persists. -
Memory manipulation: After the memory is freed, the attacker reclaims the freed memory region with attacker controlled data. Because
cldflt.sysoperates in kernel mode, corrupting this memory can allow the attacker to hijack execution flow at the kernel level. -
Privilege escalation to SYSTEM: Microsoft confirms that successful exploitation grants SYSTEM privileges, representing a complete compromise of the local security boundary. This could allow the attacker to install software, access all data on the system, create new accounts, or pivot further within the network.
The low attack complexity and absence of any user interaction requirement mean that once an attacker has a foothold, exploitation can proceed entirely at the attacker's discretion.
Microsoft credited Joe Desimone with Elastic Security for coordinated vulnerability disclosure of this issue.
Detection Methods
Snort IDS/IPS Signatures
Cisco Talos published dedicated IDS/IPS signatures targeting CVE-2026-33835 on May 12, 2026, the same day the vulnerability was disclosed. The specific rule identifiers are:
- Snort 2: GID 1, SID 66438 and SID 66439
- Snort 3: GID 1, SID 301494
All rules carry the alert message OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt and belong to the os-windows rule group.
An important operational detail: in the Snort 2 rule packs, both SID 66438 and SID 66439 ship with a disabled default state. Organizations relying on Snort 2 must explicitly enable these rules in their local policy configuration for them to fire. Snort 3 deployments should verify that SID 301494 is active as well.
The rules are available across a wide range of Snort engine versions: Snort 2 packs for versions 2091701, 2091801, and 2092000, and Snort 3 packs spanning versions 3.1.11.0 through 3.12.0.0. Most current deployments should be able to pull them from the latest subscriber rule update. An active Cisco Talos Snort Subscriber Ruleset subscription is required; updates are distributed through Snort.org rule packs and Cisco Secure Firewall (formerly Firepower) management consoles.
Host Based Detection Guidance
Because CVE-2026-33835 is a local elevation of privilege vulnerability, network based signatures alone may not provide full visibility since an attacker already needs local low privilege access to exploit it. Complementary host based detection is critical.
Security teams should consider monitoring for the following behavioral indicators:
Unexpected privilege escalation to SYSTEM: Since Microsoft confirms that successful exploitation grants SYSTEM privileges, monitoring Windows Security Event Logs (Event IDs 4672 and 4624 for special privilege logon events) for processes that unexpectedly acquire SYSTEM level tokens is a strong detection signal. EDR tools capable of tracking token manipulation and privilege changes at the process level are well suited here.
Anomalous interaction with the Cloud Files Mini Filter Driver: The cldflt.sys minifilter driver is loaded to support Windows cloud file synchronization features. Unusual I/O request patterns or IOCTL calls targeting this driver, especially from processes that would not normally interact with cloud sync subsystems, may indicate exploitation. Kernel driver audit logs and Sysmon (Event ID 6 for driver loads, Event ID 1 for process creation) can help surface these anomalies.
Process lineage analysis: A hallmark of local EoP exploitation is a low privilege process spawning child processes running as SYSTEM. SIEM correlation rules or EDR detections that flag such parent/child privilege boundary violations, particularly where the parent process has recently interacted with minifilter driver components, would serve as a strong post exploitation detection layer.
No public file hash based IoCs, IP based indicators, or standalone YARA rules for CVE-2026-33835 have been published as of this writing. The Snort signatures from Talos remain the only vendor released, CVE specific detection signatures currently available.
Affected Systems and Versions
The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys) across Windows operating systems. Microsoft's Security Update Guide does not enumerate specific Windows versions in the publicly available advisory excerpts. Administrators should consult the Microsoft Security Update Guide product matrix for CVE-2026-33835 to identify all affected Windows editions and versions in their environment. The driver is present on systems that support cloud file synchronization features, including those using OneDrive and Windows 365.
Vendor Security History
CVE-2026-33835 was addressed as part of the May 2026 Patch Tuesday cycle, which fixed between 120 and 137 vulnerabilities across Microsoft products, with up to 31 marked as critical. None of the vulnerabilities in this particular release were observed as actively exploited zero days at the time of publication. The volume of fixes in a single monthly cycle reflects the ongoing challenge of securing a codebase as large and widely deployed as Windows.
References
- Microsoft Security Update Guide: CVE-2026-33835
- NVD Entry for CVE-2026-33835
- Microsoft Patch Tuesday for May 2026, Cisco Talos Intelligence
- The May 2026 Security Update Review, Zero Day Initiative
- Snort Subscriber Rules Update 2026-05-12
- Talos Rules Advisory 2026-05-12
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days, BleepingComputer
- Operating System Market Share North America, StatCounter



