ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34337 — Windows Cloud Files Mini Filter Driver Use After Free Privilege Escalation

A short review of CVE-2026-34337, a use after free vulnerability in the Windows Cloud Files Mini Filter Driver that allows local privilege escalation to SYSTEM. Includes patch details and affected build numbers across Windows 10, 11, and Server editions.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-34337 — Windows Cloud Files Mini Filter Driver Use After Free Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in the Windows Cloud Files Mini Filter Driver, patched in the May 2026 Patch Tuesday cycle, gives any low privilege local user a reliable path to SYSTEM level access. With a CVSS score of 7.8 and low attack complexity requiring no user interaction, CVE-2026-34337 represents a meaningful post compromise escalation primitive for attackers who have already established a foothold on a Windows machine.

What makes this particular fix worth paying attention to is context: Microsoft patched three separate Elevation of Privilege vulnerabilities in the same cldflt.sys driver in a single update cycle, all carrying identical severity ratings. That kind of clustering in a kernel mode component signals that the driver has been under serious scrutiny and warrants prompt patching.

Technical Information

The Vulnerable Component

The Windows Cloud Files Mini Filter Driver (cldflt.sys) is a kernel mode file system mini filter that underpins cloud file synchronization features in Windows, including OneDrive's Files On Demand functionality. As a mini filter driver, it operates at a privileged level within the Windows I/O stack, intercepting and processing file system requests before they reach the underlying file system driver.

Root Cause

CVE-2026-34337 is the result of two interrelated software weaknesses:

  1. CWE-416 (Use After Free): The driver frees a memory object but fails to invalidate all references to it. A subsequent operation dereferences the now stale pointer, accessing memory that may have been reallocated for a different purpose.
  2. CWE-362 (Race Condition): Concurrent execution paths within the driver share a resource without proper synchronization. This creates a timing window where one thread can free an object while another thread still holds and uses a reference to it.

The patch addresses both issues by ensuring that memory references are properly invalidated before deallocation and that concurrent execution paths cannot trigger a stale pointer dereference.

CVSS Breakdown

The full CVSS 3.1 vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which tells us quite a bit about the exploitation profile:

MetricValueImplication
Attack VectorLocalAttacker must have local access to the target system
Attack ComplexityLowNo specialized conditions required; repeatable success expected
Privileges RequiredLowBasic user privileges are sufficient
User InteractionNoneNo action from another user is needed
ScopeUnchangedExploit does not cross security authority boundaries
ConfidentialityHighComplete loss of confidentiality via SYSTEM access
IntegrityHighFull ability to modify system files and configurations
AvailabilityHighPotential to fully disrupt system operations

The low attack complexity rating is the detail that stands out most. For a race condition based vulnerability, this indicates the timing window is not narrow or difficult to hit, meaning exploitation does not require precise environmental conditions or repeated attempts.

Attack Flow

Based on the CWE classifications and CVSS metrics, the exploitation path would follow this general sequence:

  1. An attacker with low privilege local access identifies the vulnerable cldflt.sys driver on the target system.
  2. The attacker triggers concurrent operations against the Cloud Files Mini Filter Driver, exploiting the race condition to create a window where a memory object is freed while a reference to it persists in another execution path.
  3. The attacker manipulates the freed memory region (for example, through heap spraying or controlled allocation) so that when the stale pointer is dereferenced, execution is redirected to attacker controlled code.
  4. Because cldflt.sys operates in kernel mode, successful exploitation yields SYSTEM level privileges, granting full control over the machine.

No proof of concept code or detailed exploitation methodology has been publicly disclosed. The analysis above is derived strictly from the CWE classifications, CVSS metrics, and patch description provided by Microsoft.

Patch Information

Microsoft released the official fix for CVE-2026-34337 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level as "Official Fix." No workarounds or configuration based mitigations exist; the only remediation path is to install the appropriate cumulative security update.

The following table lists the relevant Knowledge Base articles and minimum fixed build numbers:

ProductKB Article(s)Fixed Build Number
Windows 10 Version 1809 / Windows Server 2019KB508753810.0.17763.8755
Windows 10 Version 21H2KB508754410.0.19044.7291
Windows 10 Version 22H2KB508754410.0.19045.7291
Windows 11 Version 23H2KB508742010.0.22631.7079
Windows 11 Version 24H2KB5089549 + Hotpatch KB508946610.0.26100.8457
Windows 11 Version 25H2KB5089549 + Hotpatch KB508946610.0.26200.8457
Windows 11 Version 26H1KB508954810.0.28000.2113
Windows Server 2022KB5087545 + Hotpatch KB508742410.0.20348.5139
Windows Server 2022, 23H2 EditionKB508754110.0.25398.2330
Windows Server 2025KB5087539 + Hotpatch KB508742310.0.26100.32860

For Windows 11 24H2/25H2, Windows Server 2022, and Windows Server 2025, Microsoft provides both a standard cumulative update and a Security Hotpatch Update. The hotpatch updates can be applied without a reboot, which is particularly useful for production servers. Note that hotpatch builds carry slightly different build numbers than the full cumulative update, so administrators should verify they are running at least the build number listed above.

To confirm deployment, run winver or check systeminfo output and ensure the build number meets or exceeds the fixed version for the relevant product.

Affected Systems and Versions

Based on the patch matrix, the following Windows versions are confirmed affected:

  • Windows 10 Version 1809 (builds prior to 10.0.17763.8755)
  • Windows 10 Version 21H2 (builds prior to 10.0.19044.7291)
  • Windows 10 Version 22H2 (builds prior to 10.0.19045.7291)
  • Windows 11 Version 23H2 (builds prior to 10.0.22631.7079)
  • Windows 11 Version 24H2 (builds prior to 10.0.26100.8457)
  • Windows 11 Version 25H2 (builds prior to 10.0.26200.8457)
  • Windows 11 Version 26H1 (builds prior to 10.0.28000.2113)
  • Windows Server 2019 (builds prior to 10.0.17763.8755)
  • Windows Server 2022 (builds prior to 10.0.20348.5139)
  • Windows Server 2022, 23H2 Edition (builds prior to 10.0.25398.2330)
  • Windows Server 2025 (builds prior to 10.0.26100.32860)

Any system running the Cloud Files Mini Filter Driver (cldflt.sys) at a version below the patched build is vulnerable. Given that this driver supports OneDrive Files On Demand and similar cloud sync features, it is present on a wide range of default Windows installations.

Vendor Security History

The May 2026 Patch Tuesday release addressed between 120 and 137 vulnerabilities, none of which were zero days or actively exploited at the time of release. Within this batch, the Windows Cloud Files Mini Filter Driver stood out with three separate Elevation of Privilege vulnerabilities, all rated Important with a CVSS score of 7.8:

CVE IDComponentTypeCVSS Score
CVE-2026-34337Windows Cloud Files Mini Filter DriverElevation of Privilege7.8
CVE-2026-35418Windows Cloud Files Mini Filter DriverElevation of Privilege7.8
CVE-2026-33835Windows Cloud Files Mini Filter DriverElevation of Privilege7.8

This clustering of vulnerabilities in a single kernel mode driver suggests that the component underwent focused security review, either by external researchers or internal Microsoft teams. Microsoft's structured approach to vulnerability management, including monthly coordinated releases, an Exploitability Index, and active bug bounty programs, continues to provide a predictable remediation cadence for defenders.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization