Microsoft's June 2026 security update addresses CVE-2026-42837, a local privilege escalation vulnerability in the Windows Projected File System (ProjFS) filter driver. An attacker who successfully exploited this flaw could gain SYSTEM-level access on a vulnerable machine, underscoring the critical importance of prompt patching.

What is ProjFS and Why Does It Matter?

Projected File System is a Windows feature that enables applications to expose hierarchical data from a backing data store as a virtual file system. It is heavily used by Windows Subsystem for Linux (WSL), Docker, and various third-party tools to provide seamless file access. ProjFS allows the operating system to project files and directories into the local file system on demand, rather than copying entire datasets. The filter driver, projfs.sys, sits within the Windows kernel, intercepting file system calls and coordinating with user-mode providers.

Because it operates at the kernel level, any vulnerability in the ProjFS driver can have severe consequences. A flaw in input validation or memory handling could allow a local, unprivileged user to execute arbitrary code in the kernel context, leading to complete system compromise. CVE-2026-42837 fits this pattern precisely.

Dissecting CVE-2026-42837: Buffer Over-read in the ProjFS Filter Driver

According to Microsoft's advisory, CVE-2026-42837 is an elevation-of-privilege vulnerability rated Important. The root cause is a buffer over-read in the ProjFS filter driver. While a buffer overflow writes beyond the bounds of a buffer, a buffer over-read occurs when a program reads more data from a buffer than was intended, potentially leaking sensitive memory contents or causing a crash. In kernel-mode components, over-reads can lead to information disclosure or be chained with other exploits to achieve code execution.

In this case, the vulnerability allows a local attacker to read from kernel memory, which could reveal pointers, credentials, or other secrets that facilitate a broader attack. However, Microsoft's classification as an elevation-of-privilege vulnerability suggests the primary risk is that an attacker can escalate their privileges to SYSTEM. This may involve a multi-step attack where the over-read is used to defeat address space layout randomization (ASLR) or to leak a token that can be hijacked to impersonate a higher-privileged process.

Attack Vector and Exploitability

The attack vector is local, meaning an attacker must first have a foothold on the target system, such as through a low-privileged user account or a compromised application. They would then need to trigger the vulnerable code path in the ProjFS driver, likely by initiating a series of carefully crafted file system operations that cause the driver to over-read a memory buffer. No user interaction is required once the attacker has code execution with limited rights.

Microsoft assessed the exploitability as Exploitation Less Likely. This rating indicates that while the technical nature of the vulnerability might make exploitation challenging, it remains a credible threat that determined attackers could leverage. Historical precedent shows that local privilege escalation flaws in Windows kernel drivers are regularly weaponized by ransomware groups and state-sponsored actors to disable security software and gain full control of endpoints.

Affected Systems and Patches

All supported editions of Windows 11 and Windows 10 with the ProjFS feature enabled are potentially at risk. ProjFS is available in Windows 10 version 1709 and later, and it is integral to WSL, Docker Desktop, and other containerization workloads. Systems without these workloads installed are still vulnerable if the ProjFS driver is present, as it ships with the operating system.

Microsoft released patches as part of the June 9, 2026, Patch Tuesday cycle. The fix addresses the over-read by implementing proper bounds checking in the affected driver function. The update also hardened the driver against similar buffer handling errors through additional code validation. IT administrators should prioritize deploying this update, especially on systems where ProjFS is actively used or where untrusted users have local access.

How to Verify Patch Installation

For standalone systems, the patch is delivered via Windows Update and will appear as a cumulative update for your specific Windows version. Enterprise environments using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager should ensure the update is approved and deployed. To verify that CVE-2026-42837 is remediated, check that the latest cumulative update installed matches the KB article associated with the June 2026 release. Microsoft typically publishes a list of CVEs addressed each month, and this vulnerability is additionally tracked under the Security Updates Guide.

Mitigation and Workarounds

If immediate patching is not possible, Microsoft recommends disabling ProjFS entirely as a workaround. This can be accomplished via Discretionary Access Control List (DACL) modifications or by limiting the feature's usage through Group Policy. However, disabling ProjFS will break WSL and any application that relies on it. An alternative, less disruptive mitigation is to restrict local logon permissions to trusted users only, thereby reducing the attack surface.

Defense-in-depth measures such as enabling Windows Defender Application Control (WDAC) or AppLocker can make it harder for an attacker to execute the malicious code necessary to trigger the vulnerability. Moreover, running endpoint detection and response (EDR) solutions with exploit protection capabilities can provide a safety net by monitoring for abnormal driver behavior.

Broader Implications and Past ProjFS Vulnerabilities

This is not the first time ProjFS has appeared in a security advisory. In 2022, Microsoft patched CVE-2022-38028, a similar elevation-of-privilege flaw in the ProjFS driver. That vulnerability, also rated Important, involved a use-after-free condition that could be exploited locally. The recurrence of issues in the same kernel component raises questions about the overall hardening of ProjFS. Kernel drivers are notoriously complex, and the increased adoption of WSL and containers means millions of systems are exposed to these risks.

CVE-2026-42837 highlights the ongoing challenge of securing kernel-mode code. Buffer handling errors remain a top source of vulnerabilities despite advances in static analysis and fuzzing tools. Microsoft's Security Response Center (MSRC) has invested heavily in proactive measures like the OneFuzz testing framework and Hyper-V code integrity, but as this case demonstrates, even mature components can harbor subtle flaws.

For defenders, the takeaway is clear: maintain rigorous patch management hygiene, especially for kernel-level updates. Local privilege escalation bugs are a linchpin in the attack chain for many high-profile breaches. By promptly applying June's updates, organizations can close a dangerous path that stretches from a footnote in the kernel to total system dominion.

Conclusion and Recommendations

CVE-2026-42837 is a textbook example of a local privilege escalation vulnerability that underscores the importance of timely security updates. While exploitation is considered less likely, the potential impact is severe—complete system compromise with the highest privileges. Microsoft's patch corrects the buffer over-read, and systems should be updated without delay.

For IT administrators, we recommend:

  • Apply the June 2026 cumulative updates to all Windows endpoints and servers.
  • Audit systems for any dependencies on ProjFS, particularly WSL and container platforms, to prioritize patching.
  • In high-risk environments where patching cannot be immediate, consider disabling ProjFS or tightening local access controls.
  • Review kernel driver protection capabilities in your security stack, such as those offered by Microsoft Defender for Endpoint or third-party EDRs.

As attackers continue to chain low-severity bugs into devastating attack sequences, staying current on updates remains the single most effective defense. This latest ProjFS vulnerability is a potent reminder that the kernel is a privileged battleground where even small memory errors can have outsized consequences.