Introduction
An integer overflow in the Windows Storage Spaces Controller gives any locally authenticated user a path to full system privileges, no user interaction required. Disclosed by Microsoft on May 12, 2026, as part of a Patch Tuesday cycle that addressed over 120 vulnerabilities, CVE-2026-35415 carries a CVSS base score of 7.8 and affects virtually every supported version of Windows, from Server 2012 R2 through Server 2025 and Windows 10 through Windows 11 26H1.
Technical Information
Root Cause: Integer Overflow in Storage Spaces Controller
The vulnerability is rooted in an integer overflow or wraparound condition (CWE-190) within the Windows Storage Spaces Controller. Integer overflows occur when an arithmetic operation produces a numeric value that exceeds the range representable by the data type in use. When this happens in a kernel or privileged system component like the Storage Spaces Controller, the consequences can be severe: corrupted memory, manipulated internal data structures, and ultimately, arbitrary code execution at elevated privilege levels.
CVSS Vector Breakdown
Microsoft assigned the following CVSS 3.1 vector string:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
This tells us several important things about the vulnerability's characteristics:
- Attack Vector (Local): The attacker must already have access to the target system. This is not remotely exploitable on its own.
- Attack Complexity (Low): No special conditions, race conditions, or extenuating circumstances are required to trigger the overflow.
- Privileges Required (Low): Only basic user level access is needed. A standard domain user or local account is sufficient.
- User Interaction (None): The exploit does not require a victim to click a link, open a file, or take any action.
- Impact (High across all three pillars): Successful exploitation results in high impact to confidentiality, integrity, and availability. The attacker can read sensitive data, modify system state, and disrupt services.
- Exploitability (Unproven): No public exploit code exists as of mid May 2026.
- Remediation Level (Official Fix): Microsoft has released patches.
Attack Flow
Based on the vulnerability characteristics, the exploitation path would follow this general sequence:
- Initial Access: The attacker establishes a low privilege foothold on a Windows system through any standard initial access technique (phishing, compromised credentials, web application vulnerability, etc.).
- Targeting the Storage Spaces Controller: With local access and basic user privileges, the attacker crafts input that triggers the integer overflow condition in the Storage Spaces Controller component.
- Privilege Escalation: The integer overflow corrupts memory or manipulates internal data structures, allowing the attacker to execute code at elevated privilege levels.
- Full System Compromise: With elevated privileges, the attacker gains full control over the affected system, including the ability to access sensitive data, install persistent backdoors, move laterally, or disrupt operations.
The low attack complexity and absence of any user interaction requirement make this vulnerability particularly attractive for post exploitation scenarios. An attacker who has already gained a foothold through any means can chain this vulnerability to achieve full system compromise with minimal effort.
Scope of Impact
While the vulnerability resides specifically in the Storage Spaces Controller, the impact spans the entire Windows ecosystem. The Storage Spaces Controller is not an optional or rarely installed component; it is part of the core operating system. This means organizations cannot limit their patching efforts solely to dedicated storage servers. Every Windows endpoint and server running an affected version is potentially vulnerable.
Affected Systems and Versions
The vulnerability affects a broad range of Windows client and server operating systems:
| Product | Platform Variants | Impact | Severity |
|---|---|---|---|
| Windows Server 2012 R2 | Server Core and Standard | Elevation of Privilege | Important |
| Windows Server 2016 | Server Core and Standard | Elevation of Privilege | Important |
| Windows Server 2019 | Server Core and Standard | Elevation of Privilege | Important |
| Windows Server 2022 | Server Core and Standard | Elevation of Privilege | Important |
| Windows Server 2025 | Server Core and Standard | Elevation of Privilege | Important |
| Windows 10 | Versions 1607, 21H2, 22H2 | Elevation of Privilege | Important |
| Windows 11 | Versions 23H2, 24H2, 25H2, 26H1 | Elevation of Privilege | Important |
Organizations should treat this as a universal operating system update rather than a targeted component fix. Both Server Core installations and full desktop installations are affected.
References
- CVE-2026-35415 Detail, National Vulnerability Database (NVD)
- CVE-2026-35415, Microsoft Security Update Guide
- CVE-2026-35415: Confirmed Storage Spaces EoP Flaw, Windows Forum
- Microsoft Patch Tuesday for May 2026, Cisco Talos Intelligence Blog
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days, BleepingComputer
- Microsoft Patch Tuesday May 2026: 120 Vulnerabilities Fixed, Cybersecurity News
- Desktop Operating System Market Share Worldwide, StatCounter



