Skip to content
Threat Feed
high advisory

CVE-2026-41095: Use-After-Free in Data Deduplication Leads to Local Privilege Escalation

CVE-2026-41095 is a use-after-free vulnerability in the Data Deduplication component of Windows that allows an authenticated attacker to elevate privileges locally.

CVE-2026-41095 is a use-after-free vulnerability affecting the Data Deduplication feature in Microsoft Windows. An attacker with local access and valid credentials can exploit this vulnerability to gain elevated privileges on the system. The vulnerability stems from improper memory management within the Data Deduplication service. Successful exploitation allows an attacker to execute arbitrary code with elevated privileges, potentially leading to complete system compromise. This vulnerability poses a significant risk to systems where Data Deduplication is enabled, especially in environments where untrusted users have local access.

Attack Chain

  1. Attacker gains initial access to the target system with a valid user account.
  2. Attacker leverages Data Deduplication APIs to create, modify, or delete deduplication settings or data.
  3. The Data Deduplication service improperly frees memory associated with a deduplication chunk.
  4. The attacker triggers a condition where the freed memory is accessed again by the Data Deduplication service.
  5. Due to the use-after-free condition, the service attempts to operate on the freed memory, leading to a crash or unexpected behavior.
  6. The attacker exploits this memory corruption to inject and execute arbitrary code within the context of the Data Deduplication service.
  7. The injected code elevates the attacker’s privileges to SYSTEM.

Impact

Successful exploitation of CVE-2026-41095 allows an attacker to escalate their privileges from a standard user account to SYSTEM, the highest privilege level in Windows. This elevated access enables the attacker to perform a wide range of malicious activities, including installing malware, accessing sensitive data, modifying system configurations, and creating new user accounts with administrative rights. Systems with enabled Data Deduplication are at higher risk, particularly those accessible to multiple users with varying trust levels.

Recommendation

  • Apply the security update released by Microsoft to patch CVE-2026-41095 immediately. (Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41095)
  • Monitor process creation events for unusual activity originating from the Data Deduplication service to detect potential exploitation attempts.
  • Implement the provided Sigma rule to detect potential attempts to exploit this vulnerability by monitoring for specific events related to Data Deduplication service.

Detection coverage 2

Detect CVE-2026-41095 Exploitation Attempt - Data Deduplication Service Anomalous Process Creation

high

Detects CVE-2026-41095 exploitation — Monitors for unusual process creation events originating from the Data Deduplication service which may indicate exploitation of the use-after-free vulnerability.

sigma tactics: execution, privilege_escalation techniques: T1059.001, T1068 sources: process_creation, windows

Detect CVE-2026-41095 Exploitation Attempt - Data Deduplication Service Modified

medium

Detects CVE-2026-41095 exploitation — Detects attempts to modify the Data Deduplication Service binary, which could indicate an attempt to exploit the use-after-free vulnerability.

sigma tactics: defense_evasion, privilege_escalation techniques: T1068, T1562 sources: file_event, windows

Detection queries are available on the platform. Get full rules →