Skip to content
Threat Feed
high advisory

CVE-2026-35420 - Windows Kernel Heap-Based Buffer Overflow Local Privilege Escalation

CVE-2026-35420 is a heap-based buffer overflow vulnerability in the Windows Kernel that allows an authorized local attacker to elevate privileges.

CVE-2026-35420 is a critical heap-based buffer overflow vulnerability within the Windows Kernel. Disclosed on May 12, 2026, this flaw allows an attacker with local access to a system to potentially elevate their privileges. The vulnerability resides in the core of the operating system, making it a high-impact issue. Successful exploitation allows a local authenticated attacker to execute arbitrary code with elevated privileges. This vulnerability highlights the ongoing challenges in securing kernel-level components and the potential for privilege escalation when memory corruption issues are present.

Attack Chain

  1. An attacker gains local access to a Windows system with a standard user account.
  2. The attacker crafts a malicious input designed to trigger the heap-based buffer overflow in the Windows Kernel.
  3. The attacker executes a program or script that interacts with a vulnerable kernel function, passing the malicious input.
  4. The Windows Kernel processes the input, leading to a buffer overflow on the heap.
  5. The overflow corrupts adjacent memory regions in the heap, overwriting critical data structures.
  6. The attacker leverages the memory corruption to overwrite kernel code or data, redirecting execution flow.
  7. The attacker gains control of the system with elevated privileges, such as SYSTEM.
  8. The attacker can now perform privileged actions, install malware, or access sensitive data.

Impact

Successful exploitation of CVE-2026-35420 allows a local attacker to gain SYSTEM-level privileges on a vulnerable Windows system. This could lead to complete system compromise, including the ability to install malware, access sensitive data, and perform other malicious activities. The vulnerability affects the core of the operating system, making it a critical issue for any organization using affected Windows versions.

Recommendation

  • Apply the security update released by Microsoft to patch CVE-2026-35420 as soon as possible.
  • Deploy the Sigma rules provided to detect potential exploitation attempts targeting this vulnerability in process creation.
  • Enable and review Windows Kernel auditing logs for suspicious activity that may indicate exploitation attempts.
  • Monitor process creation events for unexpected processes being spawned with elevated privileges (see Sigma rules).

Detection coverage 2

Detects CVE-2026-35420 Exploitation Attempt — Suspicious Kernel Module Load

high

Detects CVE-2026-35420 exploitation attempt — monitors for suspicious kernel module loads that may indicate privilege escalation.

sigma tactics: privilege_escalation techniques: T1068 sources: image_load, windows

Detects CVE-2026-35420 Exploitation Attempt — Process Creation from System Process

high

Detects CVE-2026-35420 exploitation attempt — monitors for unexpected process creation events where the parent process is a system process (PID 4).

sigma tactics: execution, privilege_escalation techniques: T1059.001, T1068 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →