Introduction
A Use After Free vulnerability in the Windows Telephony Service, patched in Microsoft's May 2026 Patch Tuesday cycle, gives any local user with basic privileges a reliable path to SYSTEM. With a CVSS 3.1 base score of 7.8 and an attack that requires no user interaction, CVE-2026-34338 is the kind of local privilege escalation that red teams and post-compromise toolkits tend to adopt quickly once details become available.
Technical Information
Root Cause
CVE-2026-34338 is a Use After Free (CWE-416) vulnerability in the Windows Telephony Service. This service exposes the Telephony Application Programming Interface (TAPI), which communications applications rely on for call control and media stream management. The flaw exists because the service's internal handling logic continues to reference a memory region after it has been freed. When the freed memory is subsequently accessed, the stale pointer can be leveraged to corrupt adjacent structures or redirect execution flow.
CVSS Breakdown
The full CVSS 3.1 vector string is:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Local | Attacker needs local access (keyboard, console, or SSH) |
| Attack Complexity | Low | No specialized conditions or race windows required |
| Privileges Required | Low | Basic user capabilities are sufficient |
| User Interaction | None | Exploitation does not depend on another user's actions |
| Scope | Unchanged | The impacted component is the same as the vulnerable component |
| Confidentiality / Integrity / Availability | High / High / High | Full SYSTEM compromise on success |
| Exploit Code Maturity | Unproven | No known exploit code at time of disclosure |
Attack Flow
Based on the vulnerability characteristics, the exploitation path follows a well understood pattern for Use After Free bugs in Windows system services:
-
Initial Access: The attacker obtains a low privilege session on the target system. This could be through compromised credentials, a separate initial access vulnerability, or legitimate but restricted user access.
-
Triggering the Free: The attacker interacts with the Telephony Service in a way that causes an internal object to be deallocated while a reference (pointer) to that object remains active within the service.
-
Reclaiming Freed Memory: The attacker allocates controlled data into the same memory region that was just freed. Because the Telephony Service still holds a dangling pointer to this region, any subsequent operation that dereferences the pointer will now operate on attacker-controlled content.
-
Privilege Escalation: By carefully crafting the replacement data, the attacker can hijack execution flow within the Telephony Service process, which runs with elevated privileges. Successful exploitation grants SYSTEM-level access, providing full control over confidentiality, integrity, and availability of the host.
The low attack complexity and absence of any user interaction requirement make this a particularly clean escalation primitive once an attacker has a foothold.
Patch Information
Microsoft released an official fix for CVE-2026-34338 on May 12, 2026, as part of its May 2026 Patch Tuesday cycle. The Remediation Level is marked as "Official Fix", confirming a complete vendor solution is available. Because the Windows Telephony Service is a closed source component, no source level diff is publicly available. The fix is delivered entirely through cumulative and security updates distributed via Windows Update and the Microsoft Update Catalog.
The underlying fix almost certainly corrects the object lifetime management within the Telephony Service's internal handling logic, ensuring that the freed memory region is either properly nullified or that references to it are invalidated before any subsequent access. This is the standard remediation pattern for CWE-416 bugs in Windows system services.
Windows 11
| Version | KB Article(s) | Patched Build |
|---|---|---|
| 26H1 (x64 / ARM64) | KB5089548 | 10.0.28000.2113 |
| 25H2 (x64 / ARM64) | KB5089549, KB5089466 (Hotpatch) | 10.0.26200.8457 / .8390 |
| 24H2 (x64 / ARM64) | KB5089549, KB5089466 (Hotpatch) | 10.0.26100.8457 / .8390 |
| 23H2 (x64 / ARM64) | KB5087420 | 10.0.22631.7079 |
Windows 10
| Version | KB Article | Patched Build |
|---|---|---|
| 22H2 (32 bit / ARM64 / x64) | KB5087544 | 10.0.19045.7291 |
| 21H2 (32 bit / ARM64 / x64) | KB5087544 | 10.0.19044.7291 |
| 1809 (32 bit / x64) | KB5087538 | 10.0.17763.8755 |
| 1607 (32 bit / x64) | KB5087537 | 10.0.14393.9140 |
Windows Server
| Version | KB Article(s) | Patched Build |
|---|---|---|
| Server 2025 | KB5087539, KB5087423 (Hotpatch) | 10.0.26100.32860 / .32772 |
| Server 2022, 23H2 (Core) | KB5087541 | 10.0.25398.2330 |
| Server 2022 | KB5087545, KB5087424 (Hotpatch) | 10.0.20348.5139 / .5074 |
| Server 2019 | KB5087538 | 10.0.17763.8755 |
| Server 2016 | KB5087537 | 10.0.14393.9140 |
| Server 2012 R2 | KB5087471 | 6.3.9600.23181 |
| Server 2012 | KB5087470 | 6.2.9200.26079 |
Hotpatch Availability
A noteworthy aspect of this rollout is that several newer platforms received both a standard Security Update and a Security Hotpatch Update. Hotpatch updates allow the fix to be applied in memory without requiring a reboot, reducing operational disruption. The following platforms support hotpatching for this fix:
All updates are marked with "Customer Action Required" by Microsoft, meaning manual or automated application of these patches is necessary to achieve protection.
Affected Systems and Versions
The vulnerability impacts a broad range of Windows desktop and server environments. The following lists the specific vulnerable build ranges:
Windows 10:
- Version 1607: builds 10.0.14393.0 through 10.0.14393.9140
- Version 1809: builds 10.0.17763.0 through 10.0.17763.8755
- Version 21H2: builds 10.0.19044.0 through 10.0.19044.7291
- Version 22H2: builds 10.0.19045.0 through 10.0.19045.7291
Windows 11:
- Version 22H3: builds 10.0.22631.0 through 10.0.22631.7079
- Version 24H2: builds 10.0.26100.0 through 10.0.26100.8457
Windows Server:
- Server 2012: builds 6.2.9200.0 through 6.2.9200.26079
- Server 2016: builds 10.0.14393.0 through 10.0.14393.9140
- Server 2019: builds 10.0.17763.0 through 10.0.17763.8755
- Server 2022: builds 10.0.20348.0 through 10.0.20348.5139
- Server 2025: builds 10.0.26100.0 through 10.0.26100.32860
This extensive matrix means that nearly all modern Windows enterprise environments contain vulnerable endpoints if the May 2026 patches have not been applied.
References
- NVD: CVE-2026-34338
- MSRC Security Update Guide: CVE-2026-34338
- CVE Record: CVE-2026-34338
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Zero Day Initiative: The May 2026 Security Update Review
- VulDB: CVE-2026-34338
- Microsoft Learn: Telephony Application Programming Interfaces
- Wikipedia: Telephony Application Programming Interface



