Introduction
A use after free vulnerability in the Windows Cloud Files Mini Filter Driver now gives any locally authenticated user a reliable path to SYSTEM privileges, requiring no user interaction and only low privilege access. With 17 distinct Windows product versions affected across the desktop and server landscape, and a historical precedent of active exploitation targeting this exact driver, CVE-2026-35418 deserves prompt attention from security teams managing Windows estates.
Technical Information
The Vulnerable Component: cldflt.sys
The Windows Cloud Files Mini Filter Driver, cldflt.sys, is a kernel mode minifilter that sits at the core of the storage stack in the Windows cloud files API. It acts as a proxy between user applications and sync engines, working directly with the Windows Shell to present cloud data as locally available on NTFS volumes. This driver underpins features like OneDrive Files On Demand and is loaded on virtually every modern Windows installation that uses cloud file synchronization.
Root Cause: TOCTOU Race Leading to Use After Free
Microsoft identifies two weaknesses associated with this flaw: CWE-416 (Use After Free) and CWE-367 (Time of Check Time of Use Race Condition). The vulnerability arises when one kernel thread validates and begins operating on an object managed by the minifilter while a concurrent thread triggers that object's deallocation. The first thread then continues to reference the now freed memory through a dangling pointer.
Because cldflt.sys operates in kernel space, corrupting memory through this dangling pointer dereference can yield arbitrary code execution at the highest privilege level. The CVSS 3.1 vector string captures the severity well:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
This translates to a base score of 7.8 and a temporal score of 6.8. The key takeaways from the vector: local access is required, but attack complexity is low, only low privileges are needed, and no user interaction is necessary. Impact is high across all three pillars of confidentiality, integrity, and availability.
Attack Flow
Exploitation of CVE-2026-35418 follows a post compromise privilege escalation pattern:
- Initial Access: The attacker obtains a low privilege session on the target system through any means (phishing, credential theft, exploitation of another vulnerability).
- Triggering the Race: The attacker crafts operations that interact with the Cloud Files Mini Filter Driver in a way that creates a race window between the validation (time of check) and the use (time of use) of a kernel object.
- Winning the Race: A concurrent thread deallocates the object during the race window, leaving the first thread holding a dangling pointer.
- Heap Manipulation: The attacker reclaims the freed memory with controlled data, a standard technique in kernel use after free exploitation.
- Privilege Escalation: When the driver dereferences the dangling pointer and operates on the attacker controlled data, it achieves arbitrary code execution in kernel context, escalating to SYSTEM.
The low attack complexity and absence of user interaction requirements make this a highly reliable escalation primitive once initial access is established.
Patch Information
Microsoft released an official fix for CVE-2026-35418 on May 12, 2026, as part of its May 2026 Patch Tuesday cycle. Because cldflt.sys is a closed source Windows kernel driver, no public source code diff is available. The fix is delivered exclusively through cumulative Windows security updates via Windows Update and the Microsoft Update Catalog.
At a conceptual level, the patch almost certainly addresses the TOCTOU race by adding proper synchronization or reference count management around the object lifecycle in the Cloud Files Mini Filter Driver. The fix would ensure the object is held with an additional reference (or protected by a lock) for the entire duration of the operation, closing the race window that previously allowed the dangling pointer dereference.
All affected products are listed with a customer action of "Required," indicating that manual or automatic patch deployment through Windows Update or WSUS is necessary.
| Product Family | KB Article(s) | Patched Build(s) |
|---|---|---|
| Windows 10 Version 1809 / Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 10 Version 21H2 | KB5087544 | 10.0.19044.7291 |
| Windows 10 Version 22H2 | KB5087544 | 10.0.19045.7291 |
| Windows 11 Version 23H2 | KB5087420 | 10.0.22631.7079 |
| Windows 11 Version 24H2 | KB5089549 / KB5089466 (hotpatch) | 10.0.26100.8457 / 10.0.26100.8390 |
| Windows 11 Version 25H2 | KB5089549 / KB5089466 (hotpatch) | 10.0.26200.8457 / 10.0.26200.8390 |
| Windows 11 Version 26H1 | KB5089548 | 10.0.28000.2113 |
| Windows Server 2022 | KB5087545 / KB5087424 (hotpatch) | 10.0.20348.5139 / 10.0.20348.5074 |
| Windows Server 2022 23H2 (Core) | KB5087541 | 10.0.25398.2330 |
| Windows Server 2025 | KB5087539 / KB5087423 (hotpatch) | 10.0.26100.32860 / 10.0.26100.32772 |
Notably, for several server editions and Windows 11 24H2/25H2, Microsoft provides both a standard cumulative update and a Security Hotpatch Update. The hotpatch mechanism allows the fix to be applied in memory without requiring an immediate reboot, which is particularly valuable for production server environments.
Affected Systems and Versions
The vulnerability spans 17 distinct Windows product versions across desktop and server platforms. The following configurations are affected:
Windows 10:
- Version 1809: 32 bit Systems, x64 based Systems (builds prior to 10.0.17763.8755)
- Version 21H2: 32 bit Systems, ARM64 based Systems, x64 based Systems (builds prior to 10.0.19044.7291)
- Version 22H2: 32 bit Systems, ARM64 based Systems, x64 based Systems (builds prior to 10.0.19045.7291)
Windows 11:
- Version 22H3: ARM64 based Systems (builds prior to 10.0.22631.7079)
- Version 23H2: x64 based Systems (builds prior to 10.0.22631.7079)
- Version 24H2: ARM64 based Systems, x64 based Systems (builds prior to 10.0.26100.8457)
- Version 25H2: ARM64 based Systems, x64 based Systems (builds prior to 10.0.26200.8457)
- Version 26H1: ARM64 based Systems, x64 based Systems (builds prior to 10.0.28000.2113)
Windows Server:
- Windows Server 2019: x64 based Systems (builds prior to 10.0.17763.8755)
- Windows Server 2022: x64 based Systems (builds prior to 10.0.20348.5139)
- Windows Server 2022, 23H2 Edition (Server Core): x64 based Systems (builds prior to 10.0.25398.2330)
- Windows Server 2025: x64 based Systems (builds prior to 10.0.26100.32860)
Server Core installations for the respective Windows Server versions are also affected and require the same fixed build versions.
Vendor Security History
While CVE-2026-35418 itself is not currently exploited, the cldflt.sys driver has been targeted before. In 2025, CVE-2025-62221 was a similar use after free vulnerability in the same Windows Cloud Files Mini Filter Driver that enabled local privilege escalation to SYSTEM and was actively exploited in the wild. This historical context is significant: it demonstrates that threat actors have already developed the expertise to weaponize vulnerabilities in this specific driver class and have successfully done so in real world attacks.
The May 2026 Patch Tuesday cycle addressed 120 vulnerabilities in total. Microsoft's established monthly update cadence provides a reliable remediation mechanism, though the volume of patches each cycle requires organizations to maintain efficient testing and deployment workflows.
References
- CVE-2026-35418, Microsoft Security Update Guide
- CVE-2026-35418, NVD
- CVE Record: CVE-2026-35418
- CVE-2026-35418, Tenable
- Build a Cloud Sync Engine that Supports Placeholder Files, Microsoft Learn
- Microsoft Patch Tuesday May 2026, CybersecurityNews
- Microsoft May 2026 Patch Tuesday, SANS ISC
- Windows Cloud Files Mini Filter Driver Privilege Escalation (CVE-2025-62221), RedLegg
- Desktop Operating System Market Share Worldwide, StatCounter
- Microsoft Security Update Guide



