March 2026 Windows Updates brought a patch for three related vulnerabilities, CVE-2026-24291, CVE-2026-25186 and CVE-2026-25187. All three have a common root cause: a local user can create a symbolic link in a registry key associated with their user session, tricking some privileged process into following such link and doing their thing with it - resulting in privilege escalation or information disclosure.
The three issues were reported to Microsoft by Google Project Zero security researcher James Forshaw. In addition, after Microsoft has patched these issues, MDSec's Filip Dragovic posted an article revealing they had also known about this issue (dubbed "RegPwn") and were using it in their internal red team engagements.
We initially addressed CVE-2026-2429 with our patch, but the patch then turned out to also resolve CVE-2026-25186 and CVE-2026-25187, which is why we're covering all three issues in the same article (and the same patch).
The Vulnerability
The vulnerability is in the default permissions on the "Session <X>" subkey of the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility registry key. The Session subkey is created for every new desktop session, and allows the user owning the session to modify its content - and also create symbolic links. Since various privileged processes are then using the content of this subkey, a local attacker can thus make them do... things.
The three CVE IDs refer to different ways of exploiting the same problem:
- CVE-2026-24291: ATBroker.exe can be manipulated into creating arbitrary registry key with any content, even in areas not writable by the user.
- CVE-2026-25186: ATBroker.exe can be manipulated into copying a sensitive registry key from a secure location where the user cannot read it, to a location where the user can read it.
- CVE-2026-25187: WinLogon can be manipulated into deleting an arbitrary registry key, potentially disabling some security features.
Microsoft's Patch
Microsoft patched all these issues by removing the "create symbolic links" permission for the session user on registry key "Session <X>".
Our Patch
Micropatch Availability
Micropatches were written for the following security-adopted Windows versions:
- Windows 11 v22H2 - fully updated
- Windows 11 v21H2 - fully updated
- Windows 10 v22H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows Server 2012 - fully updated with no ESU, ESU1 or ESU 2
- Windows Server 2012 R2 - fully updated with no ESU, ESU1 or ESU 2
Windows 7 and Server 2008 R2 aren't using these registry keys in the same way, and were found not to be affected.
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
We'd like to thank Google Project Zero security researcher James Forshaw and MDSec's Filip Dragovic for publishing their analyses and proofs-of-concept, which allowed us to create a patch for legacy Windows users.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.
