ZeroPath at Black Hat USA 2026

Windows Telephony Service CVE-2026-34338: Brief Summary of a Use After Free Privilege Escalation

A brief summary of CVE-2026-34338, a Use After Free vulnerability in the Windows Telephony Service that enables local privilege escalation to SYSTEM. Includes patch details across all affected Windows desktop and server versions.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Windows Telephony Service CVE-2026-34338: Brief Summary of a Use After Free Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A Use After Free vulnerability in the Windows Telephony Service, patched in Microsoft's May 2026 Patch Tuesday cycle, gives any local user with basic privileges a reliable path to SYSTEM. With a CVSS 3.1 base score of 7.8 and an attack that requires no user interaction, CVE-2026-34338 is the kind of local privilege escalation that red teams and post-compromise toolkits tend to adopt quickly once details become available.

Technical Information

Root Cause

CVE-2026-34338 is a Use After Free (CWE-416) vulnerability in the Windows Telephony Service. This service exposes the Telephony Application Programming Interface (TAPI), which communications applications rely on for call control and media stream management. The flaw exists because the service's internal handling logic continues to reference a memory region after it has been freed. When the freed memory is subsequently accessed, the stale pointer can be leveraged to corrupt adjacent structures or redirect execution flow.

CVSS Breakdown

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

MetricValueImplication
Attack VectorLocalAttacker needs local access (keyboard, console, or SSH)
Attack ComplexityLowNo specialized conditions or race windows required
Privileges RequiredLowBasic user capabilities are sufficient
User InteractionNoneExploitation does not depend on another user's actions
ScopeUnchangedThe impacted component is the same as the vulnerable component
Confidentiality / Integrity / AvailabilityHigh / High / HighFull SYSTEM compromise on success
Exploit Code MaturityUnprovenNo known exploit code at time of disclosure

Attack Flow

Based on the vulnerability characteristics, the exploitation path follows a well understood pattern for Use After Free bugs in Windows system services:

  1. Initial Access: The attacker obtains a low privilege session on the target system. This could be through compromised credentials, a separate initial access vulnerability, or legitimate but restricted user access.

  2. Triggering the Free: The attacker interacts with the Telephony Service in a way that causes an internal object to be deallocated while a reference (pointer) to that object remains active within the service.

  3. Reclaiming Freed Memory: The attacker allocates controlled data into the same memory region that was just freed. Because the Telephony Service still holds a dangling pointer to this region, any subsequent operation that dereferences the pointer will now operate on attacker-controlled content.

  4. Privilege Escalation: By carefully crafting the replacement data, the attacker can hijack execution flow within the Telephony Service process, which runs with elevated privileges. Successful exploitation grants SYSTEM-level access, providing full control over confidentiality, integrity, and availability of the host.

The low attack complexity and absence of any user interaction requirement make this a particularly clean escalation primitive once an attacker has a foothold.

Patch Information

Microsoft released an official fix for CVE-2026-34338 on May 12, 2026, as part of its May 2026 Patch Tuesday cycle. The Remediation Level is marked as "Official Fix", confirming a complete vendor solution is available. Because the Windows Telephony Service is a closed source component, no source level diff is publicly available. The fix is delivered entirely through cumulative and security updates distributed via Windows Update and the Microsoft Update Catalog.

The underlying fix almost certainly corrects the object lifetime management within the Telephony Service's internal handling logic, ensuring that the freed memory region is either properly nullified or that references to it are invalidated before any subsequent access. This is the standard remediation pattern for CWE-416 bugs in Windows system services.

Windows 11

VersionKB Article(s)Patched Build
26H1 (x64 / ARM64)KB508954810.0.28000.2113
25H2 (x64 / ARM64)KB5089549, KB5089466 (Hotpatch)10.0.26200.8457 / .8390
24H2 (x64 / ARM64)KB5089549, KB5089466 (Hotpatch)10.0.26100.8457 / .8390
23H2 (x64 / ARM64)KB508742010.0.22631.7079

Windows 10

VersionKB ArticlePatched Build
22H2 (32 bit / ARM64 / x64)KB508754410.0.19045.7291
21H2 (32 bit / ARM64 / x64)KB508754410.0.19044.7291
1809 (32 bit / x64)KB508753810.0.17763.8755
1607 (32 bit / x64)KB508753710.0.14393.9140

Windows Server

VersionKB Article(s)Patched Build
Server 2025KB5087539, KB5087423 (Hotpatch)10.0.26100.32860 / .32772
Server 2022, 23H2 (Core)KB508754110.0.25398.2330
Server 2022KB5087545, KB5087424 (Hotpatch)10.0.20348.5139 / .5074
Server 2019KB508753810.0.17763.8755
Server 2016KB508753710.0.14393.9140
Server 2012 R2KB50874716.3.9600.23181
Server 2012KB50874706.2.9200.26079

Hotpatch Availability

A noteworthy aspect of this rollout is that several newer platforms received both a standard Security Update and a Security Hotpatch Update. Hotpatch updates allow the fix to be applied in memory without requiring a reboot, reducing operational disruption. The following platforms support hotpatching for this fix:

All updates are marked with "Customer Action Required" by Microsoft, meaning manual or automated application of these patches is necessary to achieve protection.

Affected Systems and Versions

The vulnerability impacts a broad range of Windows desktop and server environments. The following lists the specific vulnerable build ranges:

Windows 10:

  • Version 1607: builds 10.0.14393.0 through 10.0.14393.9140
  • Version 1809: builds 10.0.17763.0 through 10.0.17763.8755
  • Version 21H2: builds 10.0.19044.0 through 10.0.19044.7291
  • Version 22H2: builds 10.0.19045.0 through 10.0.19045.7291

Windows 11:

  • Version 22H3: builds 10.0.22631.0 through 10.0.22631.7079
  • Version 24H2: builds 10.0.26100.0 through 10.0.26100.8457

Windows Server:

  • Server 2012: builds 6.2.9200.0 through 6.2.9200.26079
  • Server 2016: builds 10.0.14393.0 through 10.0.14393.9140
  • Server 2019: builds 10.0.17763.0 through 10.0.17763.8755
  • Server 2022: builds 10.0.20348.0 through 10.0.20348.5139
  • Server 2025: builds 10.0.26100.0 through 10.0.26100.32860

This extensive matrix means that nearly all modern Windows enterprise environments contain vulnerable endpoints if the May 2026 patches have not been applied.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization