ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34340 Use After Free in Windows Projected File System Enables Local Privilege Escalation

A short review of CVE-2026-34340, a use after free vulnerability in the Windows Projected File System (ProjFS) that allows local privilege escalation to SYSTEM via a race condition. Patch information and affected versions are included.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-34340 Use After Free in Windows Projected File System Enables Local Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free in the Windows Projected File System (ProjFS) quietly shipped with every supported version of Windows, giving any local user with basic credentials a path to SYSTEM privileges. Microsoft patched CVE-2026-34340 on May 12, 2026 as part of its regular Patch Tuesday cycle, and while exploitation requires winning a race condition, the payoff of full host compromise makes this one worth tracking for any team managing Windows endpoints or servers.

Technical Information

Root Cause: Use After Free in ProjFS Object Lifetime Management

CVE-2026-34340 is classified under CWE-416 (Use After Free). The flaw resides in the Windows Projected File System, a virtualization layer that allows a user mode application (called a "provider") to project hierarchical data from a backing data store into the file system, making it appear as native files and directories. ProjFS is used by tools like VFS for Git and other applications that need to lazily materialize large directory trees.

Because ProjFS operates as a kernel mode component, the use after free involves kernel object lifetime management. The race condition window indicates that concurrent operations on ProjFS managed objects can lead to a state where one code path frees an object while another retains and subsequently dereferences a stale pointer to it. Winning this race gives the attacker control over the contents of the reallocated memory region, which in a kernel context translates directly to arbitrary code execution at the highest privilege level.

CVSS Breakdown

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Key observations from the vector:

  • Attack Vector (AV:L): The attacker must have local access to the target system. This is not remotely exploitable.
  • Attack Complexity (AC:H): Successful exploitation requires winning a race condition, which is nontrivial and may require repeated attempts or precise timing.
  • Privileges Required (PR:L): A low privilege account is sufficient; no administrative access is needed to initiate the attack.
  • User Interaction (UI:N): No victim interaction is required.
  • Impact (C:H/I:H/A:H): If the race is won, the attacker achieves SYSTEM level access, resulting in total compromise of confidentiality, integrity, and availability on the host.
  • Exploit Code Maturity (E:U): No public exploit code exists at the time of disclosure.

Attack Flow

Based on the available details, exploitation would proceed as follows:

  1. The attacker authenticates to the target system with a low privilege account.
  2. The attacker triggers concurrent ProjFS operations designed to create a race condition around object deallocation and subsequent access.
  3. If the race is won, a freed kernel object is dereferenced while the attacker controls the contents of the reallocated memory at that address.
  4. The attacker leverages the corrupted kernel state to execute code in kernel mode, escalating privileges to SYSTEM.

The scope is unchanged (S:U), meaning the security boundary that is violated is within the same security authority (the local OS), but the impact is total host compromise.

Patch Information

Microsoft released an official fix for CVE-2026-34340 on May 12, 2026 as part of its regular Patch Tuesday security updates. The Remediation Level is classified as "Official Fix," meaning a complete vendor solution has shipped. The patch corrects how ProjFS manages object lifetimes, eliminating the race condition window that could be exploited to reference freed memory. Because this is a closed source Windows kernel mode component, no source level diff is publicly available; the fix is delivered exclusively through cumulative updates.

Microsoft has not published any workaround for this vulnerability. Patching is the sole remediation.

The fix ships across the following products:

Product FamilyKB Article(s)Patched Build
Windows 10 v21H2 / v22H2KB508754410.0.19044.7291 / 10.0.19045.7291
Windows 10 v1809 / Server 2019KB508753810.0.17763.8755
Windows 11 v23H2KB508742010.0.22631.7079
Windows 11 v24H2 / v25H2KB5089549 + KB5089466 (hotpatch)10.0.26100.8457 / 10.0.26200.8457
Windows 11 v26H1KB508954810.0.28000.2113
Windows Server 2022KB5087545 + KB5087424 (hotpatch)10.0.20348.5139
Windows Server 2022, 23H2KB508754110.0.25398.2330
Windows Server 2025KB5087539 + KB5087423 (hotpatch)10.0.26100.32860

For Server 2022, Server 2025, and Windows 11 24H2/25H2, Microsoft also provides Security Hotpatch Updates via separate KB numbers listed above. These hotpatch KBs allow the fix to be applied without requiring an immediate reboot, which is particularly valuable in production server environments.

All listed product entries carry the "Customer Action Required" flag. In managed environments, automatic updates alone may not be sufficient. Administrators should verify deployment via Windows Update, WSUS, or the Microsoft Update Catalog.

Affected Systems and Versions

The following Windows versions are confirmed vulnerable prior to the patched builds listed above:

  • Windows 10 Version 22H2 (builds prior to 10.0.19045.7291)
  • Windows 10 Version 21H2 (builds prior to 10.0.19044.7291)
  • Windows 10 Version 1809 (builds prior to 10.0.17763.8755)
  • Windows 11 Version 26H1 (builds prior to 10.0.28000.2113)
  • Windows 11 Version 25H2 (builds prior to 10.0.26200.8457)
  • Windows 11 Version 24H2 (builds prior to 10.0.26100.8457)
  • Windows 11 Version 23H2 (builds prior to 10.0.22631.7079)
  • Windows Server 2025 (builds prior to 10.0.26100.32860)
  • Windows Server 2022 (builds prior to 10.0.20348.5139)
  • Windows Server 2022, 23H2 (builds prior to 10.0.25398.2330)
  • Windows Server 2019 (builds prior to 10.0.17763.8755)

The vulnerability affects the Windows Projected File System component, which is available as an optional feature on these platforms.

Vendor Security History

Microsoft addressed 137 vulnerabilities in the May 2026 Patch Tuesday cycle, alongside 137 Chromium related issues for Microsoft Edge. No zero day vulnerabilities were reported in this specific patch cycle, which is relatively uncommon and suggests a period of lower active threat actor engagement with newly disclosed Microsoft flaws. CVE-2026-34340 was responsibly disclosed by researcher ChenJian with the Sea Security Orca Team.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization