{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/efs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-26153"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["efs","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26153 is a security vulnerability affecting the Windows Encrypting File System (EFS). This out-of-bounds read vulnerability enables an attacker with local access and valid user credentials to elevate their privileges on the system. The vulnerability stems from improper handling of file system data, leading to a read operation beyond the allocated buffer. Successful exploitation allows the attacker to gain higher-level permissions, potentially compromising the entire system. This vulnerability poses a significant risk to environments where EFS is used to protect sensitive data, as it weakens the security guarantees provided by encryption. Defenders need to prioritize patching this CVE.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to the target Windows system with a standard user account.\u003c/li\u003e\n\u003cli\u003eAttacker leverages existing EFS functionality to interact with encrypted files.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a specific EFS request that triggers the out-of-bounds read vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerable EFS component attempts to read data beyond the allocated buffer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read operation retrieves sensitive information, such as security tokens or memory addresses of privileged processes.\u003c/li\u003e\n\u003cli\u003eAttacker uses the leaked information to forge or hijack a privileged process.\u003c/li\u003e\n\u003cli\u003eAttacker elevates their privileges to SYSTEM or Administrator.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions, such as installing malware, accessing sensitive data, or creating new privileged accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26153 allows a local attacker to elevate their privileges on a Windows system. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and creation of new privileged accounts. The vulnerability affects any system using Windows Encrypting File System (EFS). Given a CVSS score of 7.8, this is considered a high-severity vulnerability, especially in environments where local user accounts are common (e.g., shared workstations, VDI environments).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the Microsoft patch for CVE-2026-26153 as soon as possible to remediate the vulnerability (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26153)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26153)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect EFS Access Followed by Privileged Process Creation\u0026rdquo; to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creation events originating from EFS-related processes, as highlighted in the attack chain.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual activity related to EFS file operations using file_event logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-cve-2026-26153-efs-privesc/","summary":"CVE-2026-26153 is an out-of-bounds read vulnerability in the Windows Encrypting File System (EFS) that allows an authorized local attacker to elevate privileges.","title":"CVE-2026-26153: Windows EFS Out-of-Bounds Read Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2026-26153-efs-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Efs","version":"https://jsonfeed.org/version/1.1"}