ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-33835, Use After Free in Windows Cloud Files Mini Filter Driver Enables Local Privilege Escalation

A brief summary of CVE-2026-33835, a use after free vulnerability in the Windows Cloud Files Mini Filter Driver that allows local privilege escalation to SYSTEM. We cover the technical details, CVSS metrics, detection signatures from Cisco Talos, and host based monitoring guidance.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Quick Look: CVE-2026-33835, Use After Free in Windows Cloud Files Mini Filter Driver Enables Local Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in the Windows Cloud Files Mini Filter Driver, disclosed as part of Microsoft's May 2026 Patch Tuesday, gives any low privilege local user a path to SYSTEM level access with no user interaction required. With Windows commanding over 31 percent of the North American operating system market and the affected driver (cldflt.sys) supporting cloud sync features like OneDrive and Windows 365, the exposure surface across enterprise environments is significant.

Technical Information

CVE-2026-33835 is rooted in a use after free condition (CWE-416) within the Windows Cloud Files Mini Filter Driver, specifically the cldflt.sys kernel mode component. Use after free vulnerabilities occur when a program continues to reference memory after it has been deallocated, allowing an attacker to manipulate the contents of that freed memory region to achieve arbitrary code execution or privilege escalation.

CVSS Metrics

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

MetricValueSignificance
Base Score7.8High severity local privilege escalation
Temporal Score6.8Reduced due to official fix availability
Attack VectorLocalRequires local system access
Attack ComplexityLowNo special conditions needed
Privileges RequiredLowStandard user account sufficient
User InteractionNoneExploitable solely at the attacker's discretion
ScopeUnchangedImpact confined to the vulnerable component's authority
Confidentiality / Integrity / AvailabilityHigh / High / HighFull compromise of the local security boundary

Attack Flow

The exploitation path for this vulnerability follows a pattern common to kernel mode use after free flaws:

  1. Initial access: The attacker must first obtain local, low privilege access to a Windows system where the Cloud Files Mini Filter Driver is loaded. This driver is present on systems using cloud file synchronization features such as OneDrive or Windows 365.

  2. Triggering the use after free: The attacker crafts specific I/O request patterns or IOCTL calls targeting the cldflt.sys minifilter driver. These requests are designed to trigger a code path where a memory object is freed but a dangling reference to that object persists.

  3. Memory manipulation: After the memory is freed, the attacker reclaims the freed memory region with attacker controlled data. Because cldflt.sys operates in kernel mode, corrupting this memory can allow the attacker to hijack execution flow at the kernel level.

  4. Privilege escalation to SYSTEM: Microsoft confirms that successful exploitation grants SYSTEM privileges, representing a complete compromise of the local security boundary. This could allow the attacker to install software, access all data on the system, create new accounts, or pivot further within the network.

The low attack complexity and absence of any user interaction requirement mean that once an attacker has a foothold, exploitation can proceed entirely at the attacker's discretion.

Microsoft credited Joe Desimone with Elastic Security for coordinated vulnerability disclosure of this issue.

Detection Methods

Snort IDS/IPS Signatures

Cisco Talos published dedicated IDS/IPS signatures targeting CVE-2026-33835 on May 12, 2026, the same day the vulnerability was disclosed. The specific rule identifiers are:

  • Snort 2: GID 1, SID 66438 and SID 66439
  • Snort 3: GID 1, SID 301494

All rules carry the alert message OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt and belong to the os-windows rule group.

An important operational detail: in the Snort 2 rule packs, both SID 66438 and SID 66439 ship with a disabled default state. Organizations relying on Snort 2 must explicitly enable these rules in their local policy configuration for them to fire. Snort 3 deployments should verify that SID 301494 is active as well.

The rules are available across a wide range of Snort engine versions: Snort 2 packs for versions 2091701, 2091801, and 2092000, and Snort 3 packs spanning versions 3.1.11.0 through 3.12.0.0. Most current deployments should be able to pull them from the latest subscriber rule update. An active Cisco Talos Snort Subscriber Ruleset subscription is required; updates are distributed through Snort.org rule packs and Cisco Secure Firewall (formerly Firepower) management consoles.

Host Based Detection Guidance

Because CVE-2026-33835 is a local elevation of privilege vulnerability, network based signatures alone may not provide full visibility since an attacker already needs local low privilege access to exploit it. Complementary host based detection is critical.

Security teams should consider monitoring for the following behavioral indicators:

Unexpected privilege escalation to SYSTEM: Since Microsoft confirms that successful exploitation grants SYSTEM privileges, monitoring Windows Security Event Logs (Event IDs 4672 and 4624 for special privilege logon events) for processes that unexpectedly acquire SYSTEM level tokens is a strong detection signal. EDR tools capable of tracking token manipulation and privilege changes at the process level are well suited here.

Anomalous interaction with the Cloud Files Mini Filter Driver: The cldflt.sys minifilter driver is loaded to support Windows cloud file synchronization features. Unusual I/O request patterns or IOCTL calls targeting this driver, especially from processes that would not normally interact with cloud sync subsystems, may indicate exploitation. Kernel driver audit logs and Sysmon (Event ID 6 for driver loads, Event ID 1 for process creation) can help surface these anomalies.

Process lineage analysis: A hallmark of local EoP exploitation is a low privilege process spawning child processes running as SYSTEM. SIEM correlation rules or EDR detections that flag such parent/child privilege boundary violations, particularly where the parent process has recently interacted with minifilter driver components, would serve as a strong post exploitation detection layer.

No public file hash based IoCs, IP based indicators, or standalone YARA rules for CVE-2026-33835 have been published as of this writing. The Snort signatures from Talos remain the only vendor released, CVE specific detection signatures currently available.

Affected Systems and Versions

The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys) across Windows operating systems. Microsoft's Security Update Guide does not enumerate specific Windows versions in the publicly available advisory excerpts. Administrators should consult the Microsoft Security Update Guide product matrix for CVE-2026-33835 to identify all affected Windows editions and versions in their environment. The driver is present on systems that support cloud file synchronization features, including those using OneDrive and Windows 365.

Vendor Security History

CVE-2026-33835 was addressed as part of the May 2026 Patch Tuesday cycle, which fixed between 120 and 137 vulnerabilities across Microsoft products, with up to 31 marked as critical. None of the vulnerabilities in this particular release were observed as actively exploited zero days at the time of publication. The volume of fixes in a single monthly cycle reflects the ongoing challenge of securing a codebase as large and widely deployed as Windows.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization