Introduction
A heap-based buffer overflow in the Windows Kernel, patched in Microsoft's May 2026 Patch Tuesday, gives any locally authenticated user with low privileges a path to SYSTEM level access. With the vulnerability spanning every supported version of Windows from Server 2012 through Windows 11 26H1, the patch surface is broad and the deployment urgency is real, even though no active exploitation has been observed yet.
Technical Information
CVE-2026-35420 is classified under CWE-122 (Heap-based Buffer Overflow) and resides within the Windows Kernel itself. The CVSS v3.1 base score is 7.8, with the full vector string being:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Breaking this down: the attack vector is local, attack complexity is low, only low privileges are required, and no user interaction is needed. The impact ratings are high across all three pillars: confidentiality, integrity, and availability. The scope is unchanged, meaning the vulnerability's impact stays within the security authority of the vulnerable component, but that component is the kernel, so "unchanged scope" still means full host compromise.
Root Cause
The underlying flaw is a heap-based buffer overflow in the Windows Kernel. While Microsoft has not published source level details (this is a closed source component), the CWE-122 classification tells us that a buffer allocated on the heap can be written beyond its intended bounds. In a kernel context, this type of corruption can overwrite adjacent heap metadata or kernel objects, which an attacker can leverage to gain arbitrary code execution in ring 0.
Attack Flow
The exploitation path for CVE-2026-35420 follows a pattern common to local privilege escalation vulnerabilities in the Windows Kernel:
-
Initial Access: The attacker must first obtain authenticated local access to the target system. This could be achieved through phishing, credential theft, exploitation of a separate remote access vulnerability, or simply through a legitimate but low privilege account (such as a compromised service account or a standard domain user).
-
Triggering the Overflow: With low privilege access established, the attacker triggers the heap-based buffer overflow in the kernel. The low attack complexity and absence of any user interaction requirement mean this step can be automated and executed reliably.
-
Heap Corruption and Escalation: The overflow corrupts heap metadata or adjacent objects in kernel memory. Through careful control of the overflow contents and heap layout (techniques well documented in kernel exploitation research), the attacker achieves arbitrary code execution in kernel mode.
-
SYSTEM Access: Successful exploitation results in SYSTEM level access or a higher integrity level, granting the attacker complete control over the host's confidentiality, integrity, and availability.
Context Within the May 2026 Release
CVE-2026-35420 was not patched in isolation. It arrived alongside several other Windows Kernel Elevation of Privilege vulnerabilities:
| CVE ID | Component | CVSS Score | Exploitation Assessment | Publicly Disclosed |
|---|---|---|---|---|
| CVE-2026-35420 | Windows Kernel | 7.8 | Not specified | No |
| CVE-2026-33841 | Windows Kernel | 7.8 | Exploitation More Likely | Not stated |
| CVE-2026-40369 | Windows Kernel | 7.8 | Exploitation More Likely | No |
Including these flaws, there have been 13 disclosed Windows Kernel Elevation of Privilege vulnerabilities addressed in 2026 alone. While CVE-2026-35420 is not currently flagged as "Exploitation More Likely" like its counterparts, the clustering of kernel LPE fixes in a single release cycle suggests sustained research activity targeting this attack surface. Attackers frequently reverse engineer kernel patches to develop functional exploits, so the window between patch availability and exploit development may be narrow.
NVD Enrichment Status
As of the current reporting period, the National Vulnerability Database has not yet provided full enrichment or assessment details for CVE-2026-35420. Third party sources indicate the vulnerability affects Windows Server 2012 up to Server 2022 23H2, but administrators should consult the official Microsoft Security Response Center Update Guide for the definitive list of affected product builds and specific Knowledge Base articles.
Patch Information
Microsoft addressed CVE-2026-35420 through its May 12, 2026 Patch Tuesday release cycle. Because this is a closed source Windows Kernel vulnerability, no source level diff or commit is publicly available. The fix is delivered exclusively through binary cumulative updates and hotpatches via Windows Update, WSUS, and the Microsoft Update Catalog. The MSRC advisory confirms the remediation level is "Official Fix," meaning Microsoft considers the patch complete and final.
All updates are classified as "Important" severity with customer action marked as "Required" across all 13 affected product entries in the MSRC Security Update Guide.
Windows 11 (Client)
| OS Version | KB Article | Patched Build |
|---|---|---|
| Windows 11 25H2 / 24H2 | KB5089549 | OS Builds 26200.8457 / 26100.8457 |
| Windows 11 25H2 / 24H2 (Hotpatch, Enterprise) | KB5089466 | OS Builds 26200.8390 / 26100.8390 |
| Windows 11 26H1 | KB5089548 | OS Build 28000.2113 |
Windows Server
| OS Version | KB Article(s) | Patched Build(s) |
|---|---|---|
| Windows Server 2025 | KB5087539, Hotpatch KB5087423 | 10.0.26100.32860 / 10.0.26100.32772 |
| Windows Server 2022, 23H2 Edition | KB5087541 | 10.0.25398.2330 |
| Windows Server 2022 | KB5087545, Hotpatch KB5087424 | 10.0.20348.5139 / 10.0.20348.5074 |
| Windows Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows Server 2016 | KB5087537 | 10.0.14393.9140 |
| Windows Server 2012 R2 | KB5087471 | 6.3.9600.23181 |
| Windows Server 2012 | KB5087470 | 6.2.9200.26079 |
Hotpatch Availability
A notable aspect of this rollout is the availability of hotpatch variants: KB5089466 for Windows 11 Enterprise, KB5087423 for Server 2025, and KB5087424 for Server 2022. Hotpatches apply security fixes to in memory code without requiring an immediate reboot, which is particularly valuable for production server environments. Eligible devices enrolled through Microsoft Intune with a hotpatch enabled quality update policy will receive these automatically. The hotpatch addresses the same kernel vulnerability but delivers it at a slightly different OS build number than the full cumulative update; organizations should verify which update path applies to their deployment.
No official workarounds or alternative compensating controls have been documented for this specific kernel flaw, making patching the only verified defense.
Affected Systems and Versions
Based on the MSRC advisory and patch data, the following systems are affected:
Windows 11 Client:
- Windows 11 25H2 (builds prior to 26200.8457)
- Windows 11 24H2 (builds prior to 26100.8457)
- Windows 11 26H1 (builds prior to 28000.2113)
Windows Server:
- Windows Server 2025 (builds prior to 10.0.26100.32860)
- Windows Server 2022, 23H2 Edition (builds prior to 10.0.25398.2330)
- Windows Server 2022 (builds prior to 10.0.20348.5139)
- Windows Server 2019 (builds prior to 10.0.17763.8755)
- Windows Server 2016 (builds prior to 10.0.14393.9140)
- Windows Server 2012 R2 (builds prior to 6.3.9600.23181)
- Windows Server 2012 (builds prior to 6.2.9200.26079)
Third party sources corroborate that the vulnerability spans from Windows Server 2012 through Server 2022 23H2 and current Windows 11 releases.
Vendor Security History
The May 2026 Patch Tuesday was notably large, with between 118 and 120 CVEs addressed depending on the source. It was the first release since June 2024 with no zero days exploited or publicly disclosed. Microsoft attributed the larger release volume partly to a new multi-model AI driven scanning harness that is surfacing additional issues in previously studied code. Of the 120 flaws patched, 17 were classified as Critical, and 16 were discovered by this new agentic security system.
The Windows Kernel has been a consistent source of privilege escalation vulnerabilities. In 2026 alone, 13 Windows Kernel Elevation of Privilege vulnerabilities have been disclosed and patched. This sustained volume reflects both the complexity of the kernel codebase and the high value that kernel LPE bugs hold for attackers building exploit chains.
References
- NVD: CVE-2026-35420
- MSRC Security Update Guide: CVE-2026-35420
- Tenable: CVE-2026-35420
- Tenable: May 2026 Microsoft Patch Tuesday
- Zero Day Initiative: The May 2026 Security Update Review
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Microsoft MSRC Blog: A Note on Patch Tuesday
- SecPod: 120 Vulnerabilities Patched in May 2026
- Infosecurity Magazine: Microsoft Fixes 17 Critical Flaws in May Patch Tuesday
- VulDB: CVE-2026-35420
- KB5089549: Windows 11 25H2/24H2 Cumulative Update
- KB5089548: Windows 11 26H1 Cumulative Update
- KB5089466: Windows 11 Enterprise Hotpatch



