Micropatches released for Windows Storage Elevation of Privilege Vulnerability (CVE-2026-21508)

 

February 2026 Windows Updates brought a patch for CVE-2026-21508, a local privilege escalation vulnerability in Windows Storage component allowing a low-privileged local user to run arbitrary code as Local System.

The vulnerability was found and reported to Microsoft by security researcher Oscar Zanotti Campo. Oscar subsequently published a detailed analysis of the vulnerability and a proof-of-concept, both of which allowed us to reproduce and patch this issue for our users.

 

The Vulnerability 

This flaw is in the windows.storage.dll module when used by WUDFHost.exe. The WUDFHost.exe process impersonates the user while loading sensitive registry keys from the Classes\CLSID\ path for resolving the target handles. A local attacker can leverage this to get  WUDFHost to use their own registry keys and load a malicious DLL, which can then revert the impersonation and run code as Local System. 

 

Microsoft's Patch

Microsoft's patch forces WUDFHost.exe to load sensitive registry keys from the machine registry hive instead of from the calling user's hive.

 

Our Patch

Our patch is logically identical to Microsoft's. 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Oscar Zanotti Campo for sharing their analysis and proof-of-concept, which allowed us to create a patch and protect 0patch users against this issue.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.