Skip to content
Threat Feed
high advisory

CVE-2026-35418 - Windows Cloud Files Mini Filter Driver Use-After-Free Privilege Escalation

CVE-2026-35418 is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver that allows an authorized local attacker to elevate privileges.

CVE-2026-35418 is a use-after-free vulnerability affecting the Windows Cloud Files Mini Filter Driver. This vulnerability allows an attacker with local access to elevate their privileges on the system. The Cloud Files Mini Filter Driver is a component of the Windows operating system, responsible for managing cloud-backed files and file system virtualization. Successful exploitation of this vulnerability could lead to an attacker gaining elevated permissions, potentially allowing them to execute arbitrary code, modify system settings, or access sensitive information. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 score of 7.8 (HIGH).

Attack Chain

  1. Attacker gains local access to the target Windows system.
  2. Attacker crafts a malicious request to interact with the Cloud Files Mini Filter Driver.
  3. The crafted request triggers a use-after-free condition within the driver.
  4. The driver attempts to access a memory location that has already been freed.
  5. The attacker manipulates the freed memory to point to attacker-controlled data.
  6. The driver executes code based on the attacker-controlled data.
  7. Attacker leverages this arbitrary code execution to escalate privileges.
  8. The attacker gains SYSTEM level privileges on the local machine.

Impact

Successful exploitation of CVE-2026-35418 allows a local attacker to elevate their privileges to SYSTEM. This can lead to complete system compromise, including the ability to install programs; view, change, or delete data; or create new accounts with full user rights. Given the widespread use of Windows, this vulnerability poses a significant risk to organizations and individuals.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-35418 as soon as possible (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35418).
  • Deploy the Sigma rule to detect potential exploitation attempts targeting CVE-2026-35418.
  • Monitor for suspicious process creation events originating from the Cloud Files Mini Filter Driver using process creation logs.

Detection coverage 2

Detect CVE-2026-35418 Exploitation Attempt - Cloud Files Mini Filter Driver

high

Detects CVE-2026-35418 exploitation — Monitors for suspicious process creations originating from the Cloud Files Mini Filter Driver indicating potential privilege escalation attempts.

sigma tactics: defense_evasion, privilege_escalation techniques: T1068, T1070.001 sources: process_creation, windows

Detect CVE-2026-35418 - Modified Cloud Files Mini Filter Driver

medium

Detects CVE-2026-35418 exploitation — Monitors for modifications to the Cloud Files Mini Filter Driver file, which could indicate malicious tampering for privilege escalation.

sigma tactics: integrity_procedure, privilege_escalation techniques: T1068, T1574.002 sources: file_event, windows

Detection queries are available on the platform. Get full rules →