An authorized local user can exploit a use‑after‑free condition in the Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) to elevate privileges. This flaw, identified as CWE‑416, allows the attacker to gain higher system privileges on the affected machine. The vulnerability does not grant remote access and requires local execution, but once achieved it can lead to full control over the operating system.

The vulnerability affects multiple Microsoft Windows editions. Specific product targets include Windows 10 versions 1607, 1809, 21H2 and 22H2; Windows 11 versions 23H2, 24H2, 25H2, 22H3 and 26H1; and Windows Server editions from 2012 R2 through 2025 (including Server Core installations). All versions listed in the CNA vendor product list are impacted.

The CVSS score of 7.0 categorizes this issue as high severity. Although EPSS data is not available, the local nature of the attack and the requirement of a privileged or at least a user account limit exploitation to an authorized user who can execute code on the machine. The flaw is not currently listed in CISA’s KEV catalog, indicating no confirmed widespread exploitation, but the high severity and the local privilege escalation capability make patching a priority. An authorized attacker could use the flaw to elevate privileges, bypass security restrictions, and potentially install malware or alter system settings.