CVE-2026-32074 Double Free in Windows Projected File System
CVE-2026-32074 is a double free vulnerability in the Windows Projected File System that allows a local attacker to elevate privileges.
CVE-2026-32074 is a double-free vulnerability affecting the Windows Projected File System (ProjFS). This vulnerability allows an attacker with local access to the system to elevate their privileges. The vulnerability lies in improper memory management within ProjFS, potentially leading to a double free condition. An authenticated attacker can exploit this vulnerability to gain elevated system privileges. The specific version(s) of Windows affected are detailed in the Microsoft Security Response Center advisory for CVE-2026-32074. This elevation of privilege could allow the attacker to perform actions they would otherwise be restricted from, such as installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights.
Attack Chain
- Attacker gains initial access to the target Windows system with a standard user account.
- Attacker crafts a malicious application designed to interact with the Projected File System.
- The malicious application triggers a specific sequence of ProjFS API calls to manipulate file system projections.
- The crafted API calls cause ProjFS to free a memory location twice.
- The double free corrupts the heap, potentially allowing the attacker to overwrite critical data structures.
- The attacker leverages the heap corruption to overwrite security tokens or other privilege-related data within the Windows kernel.
- The attacker executes code that assumes the identity of a privileged user or system process.
- Attacker successfully elevates their privileges and gains elevated access to the system.
Impact
Successful exploitation of CVE-2026-32074 allows a local attacker to elevate their privileges on a vulnerable Windows system. This could lead to complete system compromise, including the ability to install programs, view, change, or delete data, or create new accounts with full user rights. The impact is significant as it bypasses standard access controls and allows an attacker to perform any action on the system. While the number of affected systems isn't specified, any Windows system running the vulnerable version of ProjFS is susceptible to this attack.
Recommendation
- Apply the security update provided by Microsoft for CVE-2026-32074 as detailed in the Microsoft Security Response Center advisory to patch the double-free vulnerability in ProjFS.
- Enable and review process creation logs for unusual processes spawned by applications interacting with the Projected File System, which might indicate exploitation attempts (logsource: process_creation).
- Implement application control policies to restrict the execution of untrusted or unsigned applications that may attempt to exploit this vulnerability.
Detection coverage 2
Detect Potential ProjFS Exploitation via Process Creation
highDetects the creation of unusual processes potentially related to ProjFS exploitation attempts.
Detect Modification of Security Tokens via Process Creation
mediumDetects the creation of processes that may attempt to modify security tokens, a common technique used in privilege escalation attacks.
Detection queries are available on the platform. Get full rules →