Scan free
Pending AnalysisCVE-2026-27908

CVE-2026-27908: Privilege Escalation in Windows TDI Driver

Platform

windows

Component

tdx

Fixed in

10.0.28000.1836

View on NVD
Save

CVE-2026-27908 describes a use-after-free vulnerability discovered in the Windows TDI Translation Driver (tdx.sys). This flaw allows a local, authenticated attacker to escalate their privileges on the affected system. The vulnerability impacts Windows 10 versions ranging from 10.0.14393.0 to 10.0.28000.1836. Microsoft has released a patch in version 10.0.28000.1836 to address this issue.

Impact and Attack Scenarios

The use-after-free vulnerability in tdx.sys presents a significant risk of local privilege escalation. An attacker who can successfully exploit this flaw can gain SYSTEM-level privileges, effectively gaining complete control over the compromised machine. This could involve installing malware, accessing sensitive data, modifying system configurations, or creating new user accounts with administrative rights. The impact is particularly severe in environments where user accounts have elevated privileges or where attackers can leverage compromised accounts to move laterally within the network. While the vulnerability requires local access, the potential for SYSTEM-level compromise makes it a high-priority concern.

Exploitation Context

CVE-2026-27908 was published on April 14, 2026. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score, suggesting a currently low probability of active exploitation. Public proof-of-concept (POC) code is not yet available, which further reduces the immediate risk. However, given the nature of use-after-free vulnerabilities, it is likely that POCs will emerge over time, increasing the potential for exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureLow

EPSS

0.06% (19% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C7.0HIGHAttack VectorLocalHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Local — attacker needs a local shell or interactive session on the system.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenttdx
VendorMicrosoft
Minimum version10.0.14393.0
Maximum version10.0.28000.1836
Fixed in10.0.28000.1836

Weakness Classification (CWE)

CWE-416

Timeline

  1. Published
  2. Modified
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-27908 is to upgrade affected Windows 10 systems to version 10.0.28000.1836 or later, where the vulnerability has been patched. If immediate patching is not feasible, consider implementing stricter access controls to limit the potential impact of a successful attack. Review user account privileges and ensure the principle of least privilege is enforced. Monitor system logs for suspicious activity related to the TDI Translation Driver. While a direct workaround isn't available, implementing robust endpoint detection and response (EDR) solutions can help detect and respond to exploitation attempts. After upgrading, confirm the fix by checking the Windows build version using systeminfo | findstr /B /C:'OS Name:' and verifying it is greater than or equal to 10.0.28000.1836.

How to fix

Aplica las actualizaciones de seguridad proporcionadas por Microsoft para tu versión de Windows. Estas actualizaciones corrigen la vulnerabilidad de uso después de liberar en el controlador de traducción TDI (tdx.sys), previniendo la posible elevación de privilegios.

Frequently asked questions

What is CVE-2026-27908 — Privilege Escalation in Windows TDI Driver?

CVE-2026-27908 is a use-after-free vulnerability in the Windows TDI Translation Driver (tdx.sys) allowing local privilege escalation. It affects Windows 10 versions 10.0.14393.0 through 10.0.28000.1836, potentially granting attackers SYSTEM access.

Am I affected by CVE-2026-27908 in Windows TDI Driver?

You are affected if you are running Windows 10 versions 10.0.14393.0 to 10.0.28000.1836 and have not applied the security update released in version 10.0.28000.1836. Check your OS build using systeminfo.

How do I fix CVE-2026-27908 in Windows TDI Driver?

The recommended fix is to upgrade your Windows 10 system to version 10.0.28000.1836 or later. If patching is not immediately possible, implement stricter access controls and monitor system logs.

Is CVE-2026-27908 being actively exploited?

Currently, CVE-2026-27908 is not known to be actively exploited, and no public POC code is available. However, the vulnerability's nature suggests potential for future exploitation.

Where can I find the official Microsoft advisory for CVE-2026-27908?

Refer to the Microsoft Security Update Guide for CVE-2026-27908: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27908](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27908)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...