Introduction
A use after free in the Windows Projected File System (ProjFS) quietly shipped with every supported version of Windows, giving any local user with basic credentials a path to SYSTEM privileges. Microsoft patched CVE-2026-34340 on May 12, 2026 as part of its regular Patch Tuesday cycle, and while exploitation requires winning a race condition, the payoff of full host compromise makes this one worth tracking for any team managing Windows endpoints or servers.
Technical Information
Root Cause: Use After Free in ProjFS Object Lifetime Management
CVE-2026-34340 is classified under CWE-416 (Use After Free). The flaw resides in the Windows Projected File System, a virtualization layer that allows a user mode application (called a "provider") to project hierarchical data from a backing data store into the file system, making it appear as native files and directories. ProjFS is used by tools like VFS for Git and other applications that need to lazily materialize large directory trees.
Because ProjFS operates as a kernel mode component, the use after free involves kernel object lifetime management. The race condition window indicates that concurrent operations on ProjFS managed objects can lead to a state where one code path frees an object while another retains and subsequently dereferences a stale pointer to it. Winning this race gives the attacker control over the contents of the reallocated memory region, which in a kernel context translates directly to arbitrary code execution at the highest privilege level.
CVSS Breakdown
The full CVSS 3.1 vector string is:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Key observations from the vector:
- Attack Vector (AV:L): The attacker must have local access to the target system. This is not remotely exploitable.
- Attack Complexity (AC:H): Successful exploitation requires winning a race condition, which is nontrivial and may require repeated attempts or precise timing.
- Privileges Required (PR:L): A low privilege account is sufficient; no administrative access is needed to initiate the attack.
- User Interaction (UI:N): No victim interaction is required.
- Impact (C:H/I:H/A:H): If the race is won, the attacker achieves SYSTEM level access, resulting in total compromise of confidentiality, integrity, and availability on the host.
- Exploit Code Maturity (E:U): No public exploit code exists at the time of disclosure.
Attack Flow
Based on the available details, exploitation would proceed as follows:
- The attacker authenticates to the target system with a low privilege account.
- The attacker triggers concurrent ProjFS operations designed to create a race condition around object deallocation and subsequent access.
- If the race is won, a freed kernel object is dereferenced while the attacker controls the contents of the reallocated memory at that address.
- The attacker leverages the corrupted kernel state to execute code in kernel mode, escalating privileges to SYSTEM.
The scope is unchanged (S:U), meaning the security boundary that is violated is within the same security authority (the local OS), but the impact is total host compromise.
Patch Information
Microsoft released an official fix for CVE-2026-34340 on May 12, 2026 as part of its regular Patch Tuesday security updates. The Remediation Level is classified as "Official Fix," meaning a complete vendor solution has shipped. The patch corrects how ProjFS manages object lifetimes, eliminating the race condition window that could be exploited to reference freed memory. Because this is a closed source Windows kernel mode component, no source level diff is publicly available; the fix is delivered exclusively through cumulative updates.
Microsoft has not published any workaround for this vulnerability. Patching is the sole remediation.
The fix ships across the following products:
| Product Family | KB Article(s) | Patched Build |
|---|---|---|
| Windows 10 v21H2 / v22H2 | KB5087544 | 10.0.19044.7291 / 10.0.19045.7291 |
| Windows 10 v1809 / Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 11 v23H2 | KB5087420 | 10.0.22631.7079 |
| Windows 11 v24H2 / v25H2 | KB5089549 + KB5089466 (hotpatch) | 10.0.26100.8457 / 10.0.26200.8457 |
| Windows 11 v26H1 | KB5089548 | 10.0.28000.2113 |
| Windows Server 2022 | KB5087545 + KB5087424 (hotpatch) | 10.0.20348.5139 |
| Windows Server 2022, 23H2 | KB5087541 | 10.0.25398.2330 |
| Windows Server 2025 | KB5087539 + KB5087423 (hotpatch) | 10.0.26100.32860 |
For Server 2022, Server 2025, and Windows 11 24H2/25H2, Microsoft also provides Security Hotpatch Updates via separate KB numbers listed above. These hotpatch KBs allow the fix to be applied without requiring an immediate reboot, which is particularly valuable in production server environments.
All listed product entries carry the "Customer Action Required" flag. In managed environments, automatic updates alone may not be sufficient. Administrators should verify deployment via Windows Update, WSUS, or the Microsoft Update Catalog.
Affected Systems and Versions
The following Windows versions are confirmed vulnerable prior to the patched builds listed above:
- Windows 10 Version 22H2 (builds prior to 10.0.19045.7291)
- Windows 10 Version 21H2 (builds prior to 10.0.19044.7291)
- Windows 10 Version 1809 (builds prior to 10.0.17763.8755)
- Windows 11 Version 26H1 (builds prior to 10.0.28000.2113)
- Windows 11 Version 25H2 (builds prior to 10.0.26200.8457)
- Windows 11 Version 24H2 (builds prior to 10.0.26100.8457)
- Windows 11 Version 23H2 (builds prior to 10.0.22631.7079)
- Windows Server 2025 (builds prior to 10.0.26100.32860)
- Windows Server 2022 (builds prior to 10.0.20348.5139)
- Windows Server 2022, 23H2 (builds prior to 10.0.25398.2330)
- Windows Server 2019 (builds prior to 10.0.17763.8755)
The vulnerability affects the Windows Projected File System component, which is available as an optional feature on these platforms.
Vendor Security History
Microsoft addressed 137 vulnerabilities in the May 2026 Patch Tuesday cycle, alongside 137 Chromium related issues for Microsoft Edge. No zero day vulnerabilities were reported in this specific patch cycle, which is relatively uncommon and suggests a period of lower active threat actor engagement with newly disclosed Microsoft flaws. CVE-2026-34340 was responsibly disclosed by researcher ChenJian with the Sea Security Orca Team.
References
- CVE-2026-34340: MSRC Security Update Guide
- CVE Record: CVE-2026-34340 (CVE.org)
- NVD Entry: CVE-2026-34340
- CWE-416: Use After Free
- Windows Projected File System Documentation (Microsoft Learn)
- Microsoft May 2026 Patch Tuesday (SANS Internet Storm Center)
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days (BleepingComputer)
- Zero Day Initiative: The May 2026 Security Update Review
- Desktop Windows Version Market Share Worldwide (StatCounter)
- Microsoft Update Catalog



