Introduction
A use after free vulnerability in the Windows Cloud Files Mini Filter Driver, patched in the May 2026 Patch Tuesday cycle, gives any low privilege local user a reliable path to SYSTEM level access. With a CVSS score of 7.8 and low attack complexity requiring no user interaction, CVE-2026-34337 represents a meaningful post compromise escalation primitive for attackers who have already established a foothold on a Windows machine.
What makes this particular fix worth paying attention to is context: Microsoft patched three separate Elevation of Privilege vulnerabilities in the same cldflt.sys driver in a single update cycle, all carrying identical severity ratings. That kind of clustering in a kernel mode component signals that the driver has been under serious scrutiny and warrants prompt patching.
Technical Information
The Vulnerable Component
The Windows Cloud Files Mini Filter Driver (cldflt.sys) is a kernel mode file system mini filter that underpins cloud file synchronization features in Windows, including OneDrive's Files On Demand functionality. As a mini filter driver, it operates at a privileged level within the Windows I/O stack, intercepting and processing file system requests before they reach the underlying file system driver.
Root Cause
CVE-2026-34337 is the result of two interrelated software weaknesses:
- CWE-416 (Use After Free): The driver frees a memory object but fails to invalidate all references to it. A subsequent operation dereferences the now stale pointer, accessing memory that may have been reallocated for a different purpose.
- CWE-362 (Race Condition): Concurrent execution paths within the driver share a resource without proper synchronization. This creates a timing window where one thread can free an object while another thread still holds and uses a reference to it.
The patch addresses both issues by ensuring that memory references are properly invalidated before deallocation and that concurrent execution paths cannot trigger a stale pointer dereference.
CVSS Breakdown
The full CVSS 3.1 vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which tells us quite a bit about the exploitation profile:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Local | Attacker must have local access to the target system |
| Attack Complexity | Low | No specialized conditions required; repeatable success expected |
| Privileges Required | Low | Basic user privileges are sufficient |
| User Interaction | None | No action from another user is needed |
| Scope | Unchanged | Exploit does not cross security authority boundaries |
| Confidentiality | High | Complete loss of confidentiality via SYSTEM access |
| Integrity | High | Full ability to modify system files and configurations |
| Availability | High | Potential to fully disrupt system operations |
The low attack complexity rating is the detail that stands out most. For a race condition based vulnerability, this indicates the timing window is not narrow or difficult to hit, meaning exploitation does not require precise environmental conditions or repeated attempts.
Attack Flow
Based on the CWE classifications and CVSS metrics, the exploitation path would follow this general sequence:
- An attacker with low privilege local access identifies the vulnerable
cldflt.sysdriver on the target system. - The attacker triggers concurrent operations against the Cloud Files Mini Filter Driver, exploiting the race condition to create a window where a memory object is freed while a reference to it persists in another execution path.
- The attacker manipulates the freed memory region (for example, through heap spraying or controlled allocation) so that when the stale pointer is dereferenced, execution is redirected to attacker controlled code.
- Because
cldflt.sysoperates in kernel mode, successful exploitation yields SYSTEM level privileges, granting full control over the machine.
No proof of concept code or detailed exploitation methodology has been publicly disclosed. The analysis above is derived strictly from the CWE classifications, CVSS metrics, and patch description provided by Microsoft.
Patch Information
Microsoft released the official fix for CVE-2026-34337 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level as "Official Fix." No workarounds or configuration based mitigations exist; the only remediation path is to install the appropriate cumulative security update.
The following table lists the relevant Knowledge Base articles and minimum fixed build numbers:
| Product | KB Article(s) | Fixed Build Number |
|---|---|---|
| Windows 10 Version 1809 / Windows Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 10 Version 21H2 | KB5087544 | 10.0.19044.7291 |
| Windows 10 Version 22H2 | KB5087544 | 10.0.19045.7291 |
| Windows 11 Version 23H2 | KB5087420 | 10.0.22631.7079 |
| Windows 11 Version 24H2 | KB5089549 + Hotpatch KB5089466 | 10.0.26100.8457 |
| Windows 11 Version 25H2 | KB5089549 + Hotpatch KB5089466 | 10.0.26200.8457 |
| Windows 11 Version 26H1 | KB5089548 | 10.0.28000.2113 |
| Windows Server 2022 | KB5087545 + Hotpatch KB5087424 | 10.0.20348.5139 |
| Windows Server 2022, 23H2 Edition | KB5087541 | 10.0.25398.2330 |
| Windows Server 2025 | KB5087539 + Hotpatch KB5087423 | 10.0.26100.32860 |
For Windows 11 24H2/25H2, Windows Server 2022, and Windows Server 2025, Microsoft provides both a standard cumulative update and a Security Hotpatch Update. The hotpatch updates can be applied without a reboot, which is particularly useful for production servers. Note that hotpatch builds carry slightly different build numbers than the full cumulative update, so administrators should verify they are running at least the build number listed above.
To confirm deployment, run winver or check systeminfo output and ensure the build number meets or exceeds the fixed version for the relevant product.
Affected Systems and Versions
Based on the patch matrix, the following Windows versions are confirmed affected:
- Windows 10 Version 1809 (builds prior to 10.0.17763.8755)
- Windows 10 Version 21H2 (builds prior to 10.0.19044.7291)
- Windows 10 Version 22H2 (builds prior to 10.0.19045.7291)
- Windows 11 Version 23H2 (builds prior to 10.0.22631.7079)
- Windows 11 Version 24H2 (builds prior to 10.0.26100.8457)
- Windows 11 Version 25H2 (builds prior to 10.0.26200.8457)
- Windows 11 Version 26H1 (builds prior to 10.0.28000.2113)
- Windows Server 2019 (builds prior to 10.0.17763.8755)
- Windows Server 2022 (builds prior to 10.0.20348.5139)
- Windows Server 2022, 23H2 Edition (builds prior to 10.0.25398.2330)
- Windows Server 2025 (builds prior to 10.0.26100.32860)
Any system running the Cloud Files Mini Filter Driver (cldflt.sys) at a version below the patched build is vulnerable. Given that this driver supports OneDrive Files On Demand and similar cloud sync features, it is present on a wide range of default Windows installations.
Vendor Security History
The May 2026 Patch Tuesday release addressed between 120 and 137 vulnerabilities, none of which were zero days or actively exploited at the time of release. Within this batch, the Windows Cloud Files Mini Filter Driver stood out with three separate Elevation of Privilege vulnerabilities, all rated Important with a CVSS score of 7.8:
| CVE ID | Component | Type | CVSS Score |
|---|---|---|---|
| CVE-2026-34337 | Windows Cloud Files Mini Filter Driver | Elevation of Privilege | 7.8 |
| CVE-2026-35418 | Windows Cloud Files Mini Filter Driver | Elevation of Privilege | 7.8 |
| CVE-2026-33835 | Windows Cloud Files Mini Filter Driver | Elevation of Privilege | 7.8 |
This clustering of vulnerabilities in a single kernel mode driver suggests that the component underwent focused security review, either by external researchers or internal Microsoft teams. Microsoft's structured approach to vulnerability management, including monthly coordinated releases, an Exploitability Index, and active bug bounty programs, continues to provide a predictable remediation cadence for defenders.
References
- MSRC Advisory: CVE-2026-34337
- NVD: CVE-2026-34337
- CVE Record: CVE-2026-34337
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- SANS Internet Storm Center: Microsoft May 2026 Patch Tuesday
- Zero Day Initiative: The May 2026 Security Update Review
- Microsoft Bounty Programs
- Desktop OS Market Share Worldwide (StatCounter)
- KB5087538 (Windows 10 1809 / Server 2019)
- KB5087544 (Windows 10 21H2 / 22H2)
- KB5087420 (Windows 11 23H2)
- KB5089549 (Windows 11 24H2 / 25H2)
- KB5089466 (Hotpatch for Windows 11 24H2 / 25H2)
- KB5089548 (Windows 11 26H1)
- KB5087545 (Windows Server 2022)
- KB5087424 (Hotpatch for Windows Server 2022)
- KB5087541 (Windows Server 2022, 23H2)
- KB5087539 (Windows Server 2025)
- KB5087423 (Hotpatch for Windows Server 2025)



