ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-35420 Windows Kernel Heap Buffer Overflow Enables Local Privilege Escalation

A short review of CVE-2026-35420, a heap-based buffer overflow in the Windows Kernel that allows locally authenticated attackers to escalate privileges to SYSTEM. Patch information covering all affected Windows client and server versions is included.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-35420 Windows Kernel Heap Buffer Overflow Enables Local Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap-based buffer overflow in the Windows Kernel, patched in Microsoft's May 2026 Patch Tuesday, gives any locally authenticated user with low privileges a path to SYSTEM level access. With the vulnerability spanning every supported version of Windows from Server 2012 through Windows 11 26H1, the patch surface is broad and the deployment urgency is real, even though no active exploitation has been observed yet.

Technical Information

CVE-2026-35420 is classified under CWE-122 (Heap-based Buffer Overflow) and resides within the Windows Kernel itself. The CVSS v3.1 base score is 7.8, with the full vector string being:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Breaking this down: the attack vector is local, attack complexity is low, only low privileges are required, and no user interaction is needed. The impact ratings are high across all three pillars: confidentiality, integrity, and availability. The scope is unchanged, meaning the vulnerability's impact stays within the security authority of the vulnerable component, but that component is the kernel, so "unchanged scope" still means full host compromise.

Root Cause

The underlying flaw is a heap-based buffer overflow in the Windows Kernel. While Microsoft has not published source level details (this is a closed source component), the CWE-122 classification tells us that a buffer allocated on the heap can be written beyond its intended bounds. In a kernel context, this type of corruption can overwrite adjacent heap metadata or kernel objects, which an attacker can leverage to gain arbitrary code execution in ring 0.

Attack Flow

The exploitation path for CVE-2026-35420 follows a pattern common to local privilege escalation vulnerabilities in the Windows Kernel:

  1. Initial Access: The attacker must first obtain authenticated local access to the target system. This could be achieved through phishing, credential theft, exploitation of a separate remote access vulnerability, or simply through a legitimate but low privilege account (such as a compromised service account or a standard domain user).

  2. Triggering the Overflow: With low privilege access established, the attacker triggers the heap-based buffer overflow in the kernel. The low attack complexity and absence of any user interaction requirement mean this step can be automated and executed reliably.

  3. Heap Corruption and Escalation: The overflow corrupts heap metadata or adjacent objects in kernel memory. Through careful control of the overflow contents and heap layout (techniques well documented in kernel exploitation research), the attacker achieves arbitrary code execution in kernel mode.

  4. SYSTEM Access: Successful exploitation results in SYSTEM level access or a higher integrity level, granting the attacker complete control over the host's confidentiality, integrity, and availability.

Context Within the May 2026 Release

CVE-2026-35420 was not patched in isolation. It arrived alongside several other Windows Kernel Elevation of Privilege vulnerabilities:

CVE IDComponentCVSS ScoreExploitation AssessmentPublicly Disclosed
CVE-2026-35420Windows Kernel7.8Not specifiedNo
CVE-2026-33841Windows Kernel7.8Exploitation More LikelyNot stated
CVE-2026-40369Windows Kernel7.8Exploitation More LikelyNo

Including these flaws, there have been 13 disclosed Windows Kernel Elevation of Privilege vulnerabilities addressed in 2026 alone. While CVE-2026-35420 is not currently flagged as "Exploitation More Likely" like its counterparts, the clustering of kernel LPE fixes in a single release cycle suggests sustained research activity targeting this attack surface. Attackers frequently reverse engineer kernel patches to develop functional exploits, so the window between patch availability and exploit development may be narrow.

NVD Enrichment Status

As of the current reporting period, the National Vulnerability Database has not yet provided full enrichment or assessment details for CVE-2026-35420. Third party sources indicate the vulnerability affects Windows Server 2012 up to Server 2022 23H2, but administrators should consult the official Microsoft Security Response Center Update Guide for the definitive list of affected product builds and specific Knowledge Base articles.

Patch Information

Microsoft addressed CVE-2026-35420 through its May 12, 2026 Patch Tuesday release cycle. Because this is a closed source Windows Kernel vulnerability, no source level diff or commit is publicly available. The fix is delivered exclusively through binary cumulative updates and hotpatches via Windows Update, WSUS, and the Microsoft Update Catalog. The MSRC advisory confirms the remediation level is "Official Fix," meaning Microsoft considers the patch complete and final.

All updates are classified as "Important" severity with customer action marked as "Required" across all 13 affected product entries in the MSRC Security Update Guide.

Windows 11 (Client)

OS VersionKB ArticlePatched Build
Windows 11 25H2 / 24H2KB5089549OS Builds 26200.8457 / 26100.8457
Windows 11 25H2 / 24H2 (Hotpatch, Enterprise)KB5089466OS Builds 26200.8390 / 26100.8390
Windows 11 26H1KB5089548OS Build 28000.2113

Windows Server

OS VersionKB Article(s)Patched Build(s)
Windows Server 2025KB5087539, Hotpatch KB508742310.0.26100.32860 / 10.0.26100.32772
Windows Server 2022, 23H2 EditionKB508754110.0.25398.2330
Windows Server 2022KB5087545, Hotpatch KB508742410.0.20348.5139 / 10.0.20348.5074
Windows Server 2019KB508753810.0.17763.8755
Windows Server 2016KB508753710.0.14393.9140
Windows Server 2012 R2KB50874716.3.9600.23181
Windows Server 2012KB50874706.2.9200.26079

Hotpatch Availability

A notable aspect of this rollout is the availability of hotpatch variants: KB5089466 for Windows 11 Enterprise, KB5087423 for Server 2025, and KB5087424 for Server 2022. Hotpatches apply security fixes to in memory code without requiring an immediate reboot, which is particularly valuable for production server environments. Eligible devices enrolled through Microsoft Intune with a hotpatch enabled quality update policy will receive these automatically. The hotpatch addresses the same kernel vulnerability but delivers it at a slightly different OS build number than the full cumulative update; organizations should verify which update path applies to their deployment.

No official workarounds or alternative compensating controls have been documented for this specific kernel flaw, making patching the only verified defense.

Affected Systems and Versions

Based on the MSRC advisory and patch data, the following systems are affected:

Windows 11 Client:

  • Windows 11 25H2 (builds prior to 26200.8457)
  • Windows 11 24H2 (builds prior to 26100.8457)
  • Windows 11 26H1 (builds prior to 28000.2113)

Windows Server:

  • Windows Server 2025 (builds prior to 10.0.26100.32860)
  • Windows Server 2022, 23H2 Edition (builds prior to 10.0.25398.2330)
  • Windows Server 2022 (builds prior to 10.0.20348.5139)
  • Windows Server 2019 (builds prior to 10.0.17763.8755)
  • Windows Server 2016 (builds prior to 10.0.14393.9140)
  • Windows Server 2012 R2 (builds prior to 6.3.9600.23181)
  • Windows Server 2012 (builds prior to 6.2.9200.26079)

Third party sources corroborate that the vulnerability spans from Windows Server 2012 through Server 2022 23H2 and current Windows 11 releases.

Vendor Security History

The May 2026 Patch Tuesday was notably large, with between 118 and 120 CVEs addressed depending on the source. It was the first release since June 2024 with no zero days exploited or publicly disclosed. Microsoft attributed the larger release volume partly to a new multi-model AI driven scanning harness that is surfacing additional issues in previously studied code. Of the 120 flaws patched, 17 were classified as Critical, and 16 were discovered by this new agentic security system.

The Windows Kernel has been a consistent source of privilege escalation vulnerabilities. In 2026 alone, 13 Windows Kernel Elevation of Privilege vulnerabilities have been disclosed and patched. This sustained volume reflects both the complexity of the kernel codebase and the high value that kernel LPE bugs hold for attackers building exploit chains.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization