CVE-2026-27917: Privilege Escalation in Windows WFP Driver
Platform
windows
Component
wfplwfs
Fixed in
10.0.28000.1836
CVE-2026-27917 describes a use-after-free vulnerability discovered in the Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys). This flaw allows an authenticated attacker to escalate their privileges on the affected system. The vulnerability impacts Windows versions 10 and later, specifically those with build numbers less than or equal to 10.0.28000.1836. Microsoft has released a security update to address this issue.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-27917 allows an attacker who has already gained some level of access to the system to elevate their privileges to SYSTEM level. This grants them complete control over the compromised machine, enabling them to install malware, steal sensitive data, modify system configurations, and potentially pivot to other systems on the network. The use-after-free nature of the vulnerability suggests a potential for memory corruption, which could lead to unpredictable behavior and potentially allow for more sophisticated attacks beyond simple privilege escalation. While no specific attack campaigns have been publicly linked to this CVE yet, the potential for local privilege escalation makes it a significant security concern.
Exploitation Context
CVE-2026-27917 was published on April 14, 2026. Its CVSS score is 7.0 (HIGH). As of the current date, it is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, nor does it have a high EPSS score, suggesting a currently low probability of active exploitation in the wild. Public proof-of-concept (POC) code is not yet available, but the nature of the vulnerability (use-after-free) makes it likely that exploits will be developed over time.
Threat Intelligence
Exploit Status
EPSS
0.04% (14% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Local — attacker needs a local shell or interactive session on the system.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-27917 is to apply the security update released by Microsoft, which fixes the vulnerability in version 10.0.28000.1836 and later. If immediate patching is not possible, consider implementing network segmentation to limit the potential blast radius of a successful attack. While a direct workaround is not available, reviewing and hardening WFP filter configurations can reduce the attack surface. After applying the update, verify the system's integrity by checking the Windows Update history and confirming the installation of the relevant security patch.
How to fix
Aplica las actualizaciones de seguridad proporcionadas por Microsoft para Windows 10. Estas actualizaciones corrigen la vulnerabilidad de uso después de liberar en el controlador WFP NDIS Lightweight Filter Driver, previniendo la posible elevación de privilegios.
Frequently asked questions
What is CVE-2026-27917 — Privilege Escalation in Windows WFP Driver?
CVE-2026-27917 is a use-after-free vulnerability in the Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) that allows an attacker to elevate privileges locally. It affects Windows versions 10 and later with build numbers ≤10.0.28000.1836.
Am I affected by CVE-2026-27917 in Windows WFP Driver?
You are affected if you are running Windows 10 or later with a build number less than or equal to 10.0.28000.1836. Check your system's build number and compare it to the affected versions.
How do I fix CVE-2026-27917 in Windows WFP Driver?
Apply the security update released by Microsoft, which fixes the vulnerability in version 10.0.28000.1836 and later. Ensure Windows Update is enabled and automatic updates are configured.
Is CVE-2026-27917 being actively exploited?
As of the current date, CVE-2026-27917 is not known to be actively exploited in the wild, but the vulnerability's nature suggests potential for future exploitation.
Where can I find the official Microsoft advisory for CVE-2026-27917?
Refer to the Microsoft Security Update Guide for CVE-2026-27917 when it becomes available. Search for 'CVE-2026-27917' on the Microsoft Security Response Center website.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...