CVE-2018-0826
Description
CVE-2018-0826 is a Windows Storage Services elevation of privilege vulnerability due to improper impersonation in SvcMoveFileInheritSecurity, allowing arbitrary file moves and SYSTEM-level compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2018-0826 is a Windows Storage Services elevation of privilege vulnerability due to improper impersonation in SvcMoveFileInheritSecurity, allowing arbitrary file moves and SYSTEM-level compromise.
Vulnerability
CVE-2018-0826 is an elevation of privilege vulnerability in Windows Storage Services, specifically in the SvcMoveFileInheritSecurity RPC method [1]. The flaw exists in Windows 10 versions 1511, 1607, 1703, 1709, Windows Server 2016, and Windows Server version 1709 [1]. The function impersonates the user and calls MoveFileEx to move a file, then reverts impersonation and attempts to reset the security descriptor of the new file via SetNamedSecurityInfo. If SetNamedSecurityInfo fails, the code tries to move the file back to its original location but does not reassert impersonation, leading to a TOCTOU issue [1].
Exploitation
An attacker must have local access and be able to create a file with a known path. The attacker can cause SetNamedSecurityInfo to fail by adding a Deny ACE to the file for SYSTEM, which results in ERROR_ACCESS_DENIED [1]. By placing an oplock on the original file, the attacker can swap the path with a mount point during the race window, redirecting the revert operation to an arbitrary location while running as SYSTEM [1]. The attack requires user interaction to trigger the vulnerable code path, and the attacker controls both the file name and contents [1].
Impact
Successful exploitation allows an attacker to create arbitrary files in arbitrary locations at the SYSTEM privilege level, resulting in elevation of privilege [1]. The attacker gains full control over the system, enabling them to install programs, view, change, or delete data, or create new accounts with full user rights [1].
Mitigation
Microsoft issued a security update as part of February 2018 Patch Tuesday [1]. The fix addresses the impersonation issue in the revert path. Users should apply the relevant patch for their Windows version: Windows 10 (1511, 1607, 1703, 1709), Windows Server 2016, and Windows Server version 1709 [1]. No workaround was provided, and the vulnerability is listed on Exploit-DB [1]. Organizations should prioritize patching, especially where user interaction is possible.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Microsoft Corporation/Windows Storage Servicesv5Range: Windows 10 versions 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing impersonation reassertion in the revert path of SvcMoveFileInheritSecurity allows a TOCTOU race to redirect a SYSTEM-privileged file move to an attacker-controlled location."
Attack vector
An attacker triggers the bug by first causing `SetNamedSecurityInfo` to fail — for example, by adding a Deny ACE for SYSTEM to the target file, which yields `ERROR_ACCESS_DENIED` [ref_id=1]. When the service attempts to revert the file move (running as SYSTEM), the attacker exploits a TOCTOU race condition: they place an oplock on the original file and swap in a mount point, redirecting the revert to an arbitrary location of their choice [ref_id=1]. Because the revert operation runs at SYSTEM privilege and the attacker controls both the file name and contents, this results in arbitrary file creation at a privileged location (e.g., `c:\windows\test.txt`) and elevation of privilege [ref_id=1].
Affected code
The vulnerability resides in the `SvcMoveFileInheritSecurity` RPC method of the StorSvc (Storage Service) on Windows. The function impersonates the user, calls `MoveFileEx` to move a file, then reverts impersonation and attempts to reset the security descriptor via `SetNamedSecurityInfo`. If `SetNamedSecurityInfo` fails, the code tries to move the file back to its original location **without reasserting user impersonation**, leaving the revert running as SYSTEM [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the root cause is clear: the revert path in `SvcMoveFileInheritSecurity` fails to re-impersonate the caller before moving the file back [ref_id=1]. The fix should ensure that all file operations — including the revert — are performed under user impersonation, preventing a SYSTEM-privileged write to an attacker-controlled destination. Without such a change, an attacker can always win the race condition by using an oplock and a mount point to redirect the revert [ref_id=1].
Preconditions
- networkAttacker must be able to call the SvcMoveFileInheritSecurity RPC method (available to unprivileged users on affected Windows versions)
- inputAttacker must be able to add a Deny ACE for SYSTEM to the target file to force SetNamedSecurityInfo to fail
- inputAttacker must be able to place an oplock on the original file and swap in a mount point during the race window
Reproduction
1. Compile the provided C++ PoC project (available from the exploit-db archive at https://gitlab.com/exploit-db/exploitdb-bin-sploits/-/raw/main/bin-sploits/44152.zip) [ref_id=1]. 2. Execute the compiled PoC as a normal (unprivileged) user on Windows 10 1709 [ref_id=1]. 3. The PoC abuses the `SvcMoveFileInheritSecurity` method to create `test.txt` in `c:\windows`, demonstrating arbitrary file creation at a privileged location [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/44152/mitreexploitx_refsource_EXPLOIT-DB
- www.securityfocus.com/bid/102944mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040379mitrevdb-entryx_refsource_SECTRACK
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0826mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.