ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-35415 Windows Storage Spaces Controller Integer Overflow Privilege Escalation

A short review of CVE-2026-35415, a CVSS 7.8 integer overflow vulnerability in the Windows Storage Spaces Controller that enables local privilege escalation across a wide range of Windows client and server operating systems.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-35415 Windows Storage Spaces Controller Integer Overflow Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An integer overflow in the Windows Storage Spaces Controller gives any locally authenticated user a path to full system privileges, no user interaction required. Disclosed by Microsoft on May 12, 2026, as part of a Patch Tuesday cycle that addressed over 120 vulnerabilities, CVE-2026-35415 carries a CVSS base score of 7.8 and affects virtually every supported version of Windows, from Server 2012 R2 through Server 2025 and Windows 10 through Windows 11 26H1.

Technical Information

Root Cause: Integer Overflow in Storage Spaces Controller

The vulnerability is rooted in an integer overflow or wraparound condition (CWE-190) within the Windows Storage Spaces Controller. Integer overflows occur when an arithmetic operation produces a numeric value that exceeds the range representable by the data type in use. When this happens in a kernel or privileged system component like the Storage Spaces Controller, the consequences can be severe: corrupted memory, manipulated internal data structures, and ultimately, arbitrary code execution at elevated privilege levels.

CVSS Vector Breakdown

Microsoft assigned the following CVSS 3.1 vector string:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

This tells us several important things about the vulnerability's characteristics:

  • Attack Vector (Local): The attacker must already have access to the target system. This is not remotely exploitable on its own.
  • Attack Complexity (Low): No special conditions, race conditions, or extenuating circumstances are required to trigger the overflow.
  • Privileges Required (Low): Only basic user level access is needed. A standard domain user or local account is sufficient.
  • User Interaction (None): The exploit does not require a victim to click a link, open a file, or take any action.
  • Impact (High across all three pillars): Successful exploitation results in high impact to confidentiality, integrity, and availability. The attacker can read sensitive data, modify system state, and disrupt services.
  • Exploitability (Unproven): No public exploit code exists as of mid May 2026.
  • Remediation Level (Official Fix): Microsoft has released patches.

Attack Flow

Based on the vulnerability characteristics, the exploitation path would follow this general sequence:

  1. Initial Access: The attacker establishes a low privilege foothold on a Windows system through any standard initial access technique (phishing, compromised credentials, web application vulnerability, etc.).
  2. Targeting the Storage Spaces Controller: With local access and basic user privileges, the attacker crafts input that triggers the integer overflow condition in the Storage Spaces Controller component.
  3. Privilege Escalation: The integer overflow corrupts memory or manipulates internal data structures, allowing the attacker to execute code at elevated privilege levels.
  4. Full System Compromise: With elevated privileges, the attacker gains full control over the affected system, including the ability to access sensitive data, install persistent backdoors, move laterally, or disrupt operations.

The low attack complexity and absence of any user interaction requirement make this vulnerability particularly attractive for post exploitation scenarios. An attacker who has already gained a foothold through any means can chain this vulnerability to achieve full system compromise with minimal effort.

Scope of Impact

While the vulnerability resides specifically in the Storage Spaces Controller, the impact spans the entire Windows ecosystem. The Storage Spaces Controller is not an optional or rarely installed component; it is part of the core operating system. This means organizations cannot limit their patching efforts solely to dedicated storage servers. Every Windows endpoint and server running an affected version is potentially vulnerable.

Affected Systems and Versions

The vulnerability affects a broad range of Windows client and server operating systems:

ProductPlatform VariantsImpactSeverity
Windows Server 2012 R2Server Core and StandardElevation of PrivilegeImportant
Windows Server 2016Server Core and StandardElevation of PrivilegeImportant
Windows Server 2019Server Core and StandardElevation of PrivilegeImportant
Windows Server 2022Server Core and StandardElevation of PrivilegeImportant
Windows Server 2025Server Core and StandardElevation of PrivilegeImportant
Windows 10Versions 1607, 21H2, 22H2Elevation of PrivilegeImportant
Windows 11Versions 23H2, 24H2, 25H2, 26H1Elevation of PrivilegeImportant

Organizations should treat this as a universal operating system update rather than a targeted component fix. Both Server Core installations and full desktop installations are affected.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization