ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-35418 Windows Cloud Files Mini Filter Driver Use After Free Privilege Escalation

A short review of CVE-2026-35418, a use after free vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys) that allows local privilege escalation to SYSTEM. Includes patch details across 17 affected Windows product versions.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-35418 Windows Cloud Files Mini Filter Driver Use After Free Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in the Windows Cloud Files Mini Filter Driver now gives any locally authenticated user a reliable path to SYSTEM privileges, requiring no user interaction and only low privilege access. With 17 distinct Windows product versions affected across the desktop and server landscape, and a historical precedent of active exploitation targeting this exact driver, CVE-2026-35418 deserves prompt attention from security teams managing Windows estates.

Technical Information

The Vulnerable Component: cldflt.sys

The Windows Cloud Files Mini Filter Driver, cldflt.sys, is a kernel mode minifilter that sits at the core of the storage stack in the Windows cloud files API. It acts as a proxy between user applications and sync engines, working directly with the Windows Shell to present cloud data as locally available on NTFS volumes. This driver underpins features like OneDrive Files On Demand and is loaded on virtually every modern Windows installation that uses cloud file synchronization.

Root Cause: TOCTOU Race Leading to Use After Free

Microsoft identifies two weaknesses associated with this flaw: CWE-416 (Use After Free) and CWE-367 (Time of Check Time of Use Race Condition). The vulnerability arises when one kernel thread validates and begins operating on an object managed by the minifilter while a concurrent thread triggers that object's deallocation. The first thread then continues to reference the now freed memory through a dangling pointer.

Because cldflt.sys operates in kernel space, corrupting memory through this dangling pointer dereference can yield arbitrary code execution at the highest privilege level. The CVSS 3.1 vector string captures the severity well:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

This translates to a base score of 7.8 and a temporal score of 6.8. The key takeaways from the vector: local access is required, but attack complexity is low, only low privileges are needed, and no user interaction is necessary. Impact is high across all three pillars of confidentiality, integrity, and availability.

Attack Flow

Exploitation of CVE-2026-35418 follows a post compromise privilege escalation pattern:

  1. Initial Access: The attacker obtains a low privilege session on the target system through any means (phishing, credential theft, exploitation of another vulnerability).
  2. Triggering the Race: The attacker crafts operations that interact with the Cloud Files Mini Filter Driver in a way that creates a race window between the validation (time of check) and the use (time of use) of a kernel object.
  3. Winning the Race: A concurrent thread deallocates the object during the race window, leaving the first thread holding a dangling pointer.
  4. Heap Manipulation: The attacker reclaims the freed memory with controlled data, a standard technique in kernel use after free exploitation.
  5. Privilege Escalation: When the driver dereferences the dangling pointer and operates on the attacker controlled data, it achieves arbitrary code execution in kernel context, escalating to SYSTEM.

The low attack complexity and absence of user interaction requirements make this a highly reliable escalation primitive once initial access is established.

Patch Information

Microsoft released an official fix for CVE-2026-35418 on May 12, 2026, as part of its May 2026 Patch Tuesday cycle. Because cldflt.sys is a closed source Windows kernel driver, no public source code diff is available. The fix is delivered exclusively through cumulative Windows security updates via Windows Update and the Microsoft Update Catalog.

At a conceptual level, the patch almost certainly addresses the TOCTOU race by adding proper synchronization or reference count management around the object lifecycle in the Cloud Files Mini Filter Driver. The fix would ensure the object is held with an additional reference (or protected by a lock) for the entire duration of the operation, closing the race window that previously allowed the dangling pointer dereference.

All affected products are listed with a customer action of "Required," indicating that manual or automatic patch deployment through Windows Update or WSUS is necessary.

Product FamilyKB Article(s)Patched Build(s)
Windows 10 Version 1809 / Server 2019KB508753810.0.17763.8755
Windows 10 Version 21H2KB508754410.0.19044.7291
Windows 10 Version 22H2KB508754410.0.19045.7291
Windows 11 Version 23H2KB508742010.0.22631.7079
Windows 11 Version 24H2KB5089549 / KB5089466 (hotpatch)10.0.26100.8457 / 10.0.26100.8390
Windows 11 Version 25H2KB5089549 / KB5089466 (hotpatch)10.0.26200.8457 / 10.0.26200.8390
Windows 11 Version 26H1KB508954810.0.28000.2113
Windows Server 2022KB5087545 / KB5087424 (hotpatch)10.0.20348.5139 / 10.0.20348.5074
Windows Server 2022 23H2 (Core)KB508754110.0.25398.2330
Windows Server 2025KB5087539 / KB5087423 (hotpatch)10.0.26100.32860 / 10.0.26100.32772

Notably, for several server editions and Windows 11 24H2/25H2, Microsoft provides both a standard cumulative update and a Security Hotpatch Update. The hotpatch mechanism allows the fix to be applied in memory without requiring an immediate reboot, which is particularly valuable for production server environments.

Affected Systems and Versions

The vulnerability spans 17 distinct Windows product versions across desktop and server platforms. The following configurations are affected:

Windows 10:

  • Version 1809: 32 bit Systems, x64 based Systems (builds prior to 10.0.17763.8755)
  • Version 21H2: 32 bit Systems, ARM64 based Systems, x64 based Systems (builds prior to 10.0.19044.7291)
  • Version 22H2: 32 bit Systems, ARM64 based Systems, x64 based Systems (builds prior to 10.0.19045.7291)

Windows 11:

  • Version 22H3: ARM64 based Systems (builds prior to 10.0.22631.7079)
  • Version 23H2: x64 based Systems (builds prior to 10.0.22631.7079)
  • Version 24H2: ARM64 based Systems, x64 based Systems (builds prior to 10.0.26100.8457)
  • Version 25H2: ARM64 based Systems, x64 based Systems (builds prior to 10.0.26200.8457)
  • Version 26H1: ARM64 based Systems, x64 based Systems (builds prior to 10.0.28000.2113)

Windows Server:

  • Windows Server 2019: x64 based Systems (builds prior to 10.0.17763.8755)
  • Windows Server 2022: x64 based Systems (builds prior to 10.0.20348.5139)
  • Windows Server 2022, 23H2 Edition (Server Core): x64 based Systems (builds prior to 10.0.25398.2330)
  • Windows Server 2025: x64 based Systems (builds prior to 10.0.26100.32860)

Server Core installations for the respective Windows Server versions are also affected and require the same fixed build versions.

Vendor Security History

While CVE-2026-35418 itself is not currently exploited, the cldflt.sys driver has been targeted before. In 2025, CVE-2025-62221 was a similar use after free vulnerability in the same Windows Cloud Files Mini Filter Driver that enabled local privilege escalation to SYSTEM and was actively exploited in the wild. This historical context is significant: it demonstrates that threat actors have already developed the expertise to weaponize vulnerabilities in this specific driver class and have successfully done so in real world attacks.

The May 2026 Patch Tuesday cycle addressed 120 vulnerabilities in total. Microsoft's established monthly update cadence provides a reliable remediation mechanism, though the volume of patches each cycle requires organizations to maintain efficient testing and deployment workflows.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization