Description
Use after free in Windows SDK allows an authorized attacker to elevate privileges locally.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a use‑after‑free condition in the Windows Software Development Kit that allows an attacker with local authorization to gain elevated privileges on the affected system. The vulnerability arises when the SDK interacts with memory after it has been freed, resulting in the possibility of arbitrary code execution with higher privileges. This can compromise the confidentiality, integrity, or availability of the system if exploited by a malicious user on the same host.

Affected Systems

Affected operating systems include multiple releases of Windows 10 (v1809, v21H2, v22H2), several Windows 11 releases (v23H2, v24H2, v25H2, v26H1, v23H2, v26H1), and Windows Server editions such as Server 2019, Server 2022, and Server 2025 in both standard and Server Core installations. These versions are listed in the advisory with associated CPEs, and any machines running the included SDK components are at risk.

Risk and Exploitability

The CVSS score of 7.8 classifies the vulnerability as High severity, although no EPSS score is provided and it is not currently listed in the CISA KEV catalog. Based on the description, the attacker must have local access or authorization to trigger the use‑after‑free, making it a local privilege escalation scenario. The attack vector is inferred to be local rather than remote, and successful exploitation would enable an attacker to execute privileged code, potentially taking full control of the compromised machine.

Generated by OpenCVE AI on June 9, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Windows updates that contain the fix for CVE‑2026‑45593, as described in the Microsoft Security Update Guide.
  • If an update is not yet available for a specific OS version, remove or upgrade any components that rely on the vulnerable Windows SDK until a patch is released.
  • Continuously monitor Microsoft advisories for new updates or workarounds and apply them promptly when they become available.

Generated by OpenCVE AI on June 9, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Use after free in Windows SDK allows an authorized attacker to elevate privileges locally.
Title Windows SDK Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Weaknesses CWE-190
CWE-416
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows 11 26h1 Windows 11 26h1 Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2025 Windows Server 2025 (server Core Installation)
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T10:19:27.147Z

Reserved: 2026-05-12T19:55:45.730Z

Link: CVE-2026-45593

cve-icon Vulnrichment

Updated: 2026-06-10T10:19:22.044Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:27.240

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:15:05Z

Weaknesses