CVE-2026-24289: Microsoft Windows NDIS Driver Use-After-Free Flaw Allows Kernel Privilege Escalation
Microsoft has patched a use-after-free vulnerability in the Windows NDIS driver (ndis.sys) that lets low-privileged attackers gain kernel-level code execution.
Microsoft has released a security update to address CVE-2026-24289, a use-after-free vulnerability in the Windows Network Driver Interface Specification (NDIS) driver (ndis.sys). The flaw, disclosed by Zero Day Initiative as ZDI-26-184, allows local attackers to escalate privileges from low-integrity code execution to full kernel-level control. With a CVSS score of 7.8, the vulnerability is rated important and affects all supported versions of Windows.
The specific bug resides in ndis.sys, the core driver that manages network interfaces and protocols in Windows. The issue stems from the driver's failure to validate the existence of an object before performing operations on it, leading to a use-after-free condition. An attacker who first gains the ability to execute low-privileged code on a target system can trigger this flaw to corrupt kernel memory and execute arbitrary code with SYSTEM privileges.
Local privilege escalation vulnerabilities like CVE-2026-24289 are a common vector for attackers seeking to move from user-level access to full system compromise. Once an attacker achieves kernel execution, they can disable security products, install rootkits, and persist undetected. While the vulnerability requires prior code execution on the target, it is often chained with other exploits or used in post-exploitation scenarios.
Microsoft has issued a security update via the Microsoft Security Response Center to correct the issue. The advisory notes that the vulnerability was reported to Microsoft on December 5, 2025, and coordinated public disclosure occurred on March 10, 2026. The researcher who discovered the flaw chose to remain anonymous.
Organizations should prioritize applying the March 2026 Patch Tuesday updates to mitigate this vulnerability. Given the local nature of the exploit, endpoints with restricted user privileges are partially protected, but the update closes a reliable escalation path for attackers who have already breached a system. Security teams should verify patch deployment across all Windows workstations and servers.
This disclosure follows a pattern of increasing scrutiny on Windows kernel drivers. In recent months, researchers have uncovered multiple privilege escalation flaws in Windows components, including the 'MiniPlasma' zero-day and the YellowKey BitLocker bypass. The NDIS driver, as a foundational networking component, remains a high-value target for attackers seeking kernel access.