Skip to content
Threat Feed
high threat exploited

CVE-2026-35415: Windows Storage Spaces Controller Integer Overflow Privilege Escalation

CVE-2026-35415 is an integer overflow vulnerability in the Windows Storage Spaces Controller that allows a locally authorized attacker to elevate privileges.

CVE-2026-35415 is an integer overflow vulnerability affecting the Windows Storage Spaces Controller. This vulnerability allows an attacker with local access to the system and valid credentials to elevate their privileges. The vulnerability stems from an integer overflow or wraparound condition within the Storage Spaces Controller, potentially leading to memory corruption or other exploitable conditions. Successful exploitation of this flaw would allow an attacker to gain higher-level permissions on the compromised system, potentially leading to full system control. As of the publication of this brief, there are no known reports of active exploitation in the wild.

Attack Chain

  1. Attacker gains initial local access to a Windows system with valid credentials.
  2. The attacker interacts with the Windows Storage Spaces Controller.
  3. The attacker crafts specific input that triggers an integer overflow within the Storage Spaces Controller.
  4. The integer overflow leads to a memory corruption condition.
  5. The attacker leverages the memory corruption to overwrite critical system data structures.
  6. The attacker manipulates their user privileges within the system.
  7. The attacker successfully elevates their privileges to SYSTEM or another high-privileged account.
  8. The attacker performs privileged actions on the system.

Impact

Successful exploitation of CVE-2026-35415 allows a local attacker to elevate privileges on a Windows system. This could lead to a complete compromise of the affected system, allowing the attacker to install malware, steal sensitive data, or perform other malicious activities. The vulnerability affects any system where the Storage Spaces Controller is enabled. The number of potential victims is wide, since Windows is the most popular OS.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-35415 as soon as possible, referencing the Microsoft advisory URL in the references section.
  • Deploy the Sigma rule provided to detect potential exploitation attempts of CVE-2026-35415 by monitoring for suspicious Storage Spaces Controller activity.
  • Monitor for unauthorized privilege escalation attempts following potential exploitation attempts.

Detection coverage 2

Detects CVE-2026-35415 Exploitation — Suspicious Storage Spaces Process Creation

high

Detects CVE-2026-35415 exploitation attempt — monitors for unusual processes spawned by the Storage Spaces Controller service which could indicate privilege escalation.

sigma tactics: privilege_escalation techniques: T1068, T1548.002 sources: process_creation, windows

Detects CVE-2026-35415 Exploitation — Storage Spaces Controller Executing PowerShell

medium

Detects CVE-2026-35415 exploitation attempt — monitors for PowerShell execution originating from the Storage Spaces Controller, which is unusual behavior.

sigma tactics: execution, privilege_escalation techniques: T1059.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →