Microsoft patched a critical elevation-of-privilege vulnerability in the Windows Bluetooth Service on June 9, 2026, closing a use-after-free bug that could allow attackers to gain SYSTEM-level access. The flaw, tracked as CVE-2026-45605, received an Important severity rating and affects all supported versions of Windows. Attackers who successfully exploit this vulnerability could install programs, view or change data, or create new accounts with full administrator rights. The patch was delivered as part of Microsoft’s June 2026 Patch Tuesday updates, and administrators are urged to deploy it immediately.

Use-After-Free in the Bluetooth Stack

The vulnerability resides in the Windows Bluetooth Service, specifically within how the operating system handles certain Bluetooth packets or connections. A use-after-free condition occurs when a program continues to use a pointer to memory after that memory has been freed. In the Windows kernel or privileged driver context, such a bug can enable an attacker to execute arbitrary code with elevated privileges. When triggered, the flaw corrupts memory in a way that an attacker can control, ultimately allowing them to overwrite function pointers or inject shellcode.

Use-after-free bugs are notoriously dangerous because they often bypass modern memory protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) by chaining with other techniques. In the Bluetooth stack, the vulnerability likely involves improper handling of connection termination, malformed advertising packets, or race conditions during device pairing. The exact technical details were withheld by Microsoft to prevent immediate exploitation, but the nature of the bug suggests a local attacker could leverage a specially crafted Bluetooth device or a malicious application interacting with the Bluetooth API to trigger the condition.

Bluetooth drivers and services operate at a privileged level because they manage radio hardware and need to handle low-level I/O. On Windows, the Bluetooth stack includes kernel-mode drivers (like bthport.sys) and user-mode services (such as bthserv). A vulnerability in any component that fails to correctly synchronize memory allocation and deallocation can lead to a use-after-free, giving an attacker SYSTEM access—a critical escalation from a standard user or from a sandboxed application.

How an Attacker Could Exploit It

Exploitation of CVE-2026-45605 requires an attacker to have some level of access to the target machine. The vulnerability is classified as local exploitation, meaning the attacker must first run a specially crafted application on the system. However, the attack vector could involve physically proximate scenarios—for instance, a malicious Bluetooth peripheral that pairs with the Windows device and sends exploit data. Alternatively, a remote code execution bug could be used as an initial foothold, followed by this elevation-of-privilege exploit to gain full control.

Once an attacker achieves SYSTEM privileges, they can disable security software, exfiltrate sensitive data, install persistent rootkits, or move laterally across the network. The severity is heightened by the broad attack surface of Bluetooth: nearly every modern laptop, desktop, and tablet has a Bluetooth adapter, often always enabled. Users frequently connect wireless headsets, keyboards, mice, and other peripherals, creating numerous opportunities for a crafted device to trigger the flaw.

Microsoft’s advisory notes that the vulnerability has not been publicly disclosed nor exploited in the wild, but the risk remains significant. In enterprise environments, a single compromised workstation could serve as a beachhead for a larger attack, especially if the machine is joined to a domain. Thus, the patch is critical even for systems where Bluetooth is rarely used—disabling the radio via Device Manager may not fully eliminate the risk if the service itself is vulnerable.

Affected Systems and Patch Availability

CVE-2026-45605 impacts all supported Windows versions, including:

  • Windows 11 versions 23H2 and 24H2 (and 22H2 for Enterprise/Education)
  • Windows 10 version 22H2
  • Windows Server 2025, 2022, and 2019
  • Windows Server 2016 (for Azure Stack HCI and other supported editions)

Older Windows versions that have reached end-of-life (such as Windows 7 or Windows 8.1) are not officially patched unless covered by extended security updates. Systems running these should be assumed vulnerable.

The security update was released on June 9, 2026, and is automatically delivered through Windows Update to most consumer devices. Enterprise administrators can deploy it via Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or their preferred patch management tool. The update is cumulative, meaning it includes all previous security fixes, so installing the latest monthly rollup or security-only update will address the flaw. No additional actions are required once the update is applied.

Specific KB article numbers vary by OS version and update channel. Microsoft typically provides a master list of KB numbers on its Security Update Guide. Users can verify patch installation by checking their update history for the June 2026 cumulative update and confirming the build number corresponds to the patched version.

Why This Matters

Bluetooth is an integral part of the modern Windows ecosystem, powering wireless input devices, audio streaming, file transfers, and proximity-based authentication features like Windows Hello companion devices. The stacks that handle these protocols are complex and often written in low-level languages like C, which are prone to memory safety errors. A use-after-free in the Bluetooth service represents a critical weak point that, if left unpatched, could be chained with other exploits to fully compromise a system.

Elevation-of-privilege vulnerabilities are particularly prized by attackers because they enable them to break out of restricted contexts. Even if a user runs with limited rights—a standard practice in many enterprises—a successful exploit grants the attacker full control over the OS. This bypasses standardized security boundaries, making the flaw especially dangerous in multi-user environments or on shared workstations.

The fact that the vulnerability was rated Important, not Critical, reflects the need for local access. Yet, in the age of remote working, any local vulnerability still poses a serious threat, as it can be combined with phishing or browser-based attacks to achieve remote code execution with SYSTEM rights.

Steps to Protect Your System

Windows Update should automatically download and install the patch on most devices. To confirm, go to Settings > Windows Update and click Check for updates. After installation, the update history will show the June 2026 Cumulative Update. Reboot if prompted.

Enterprise administrators should prioritize patching on workstations that are frequently exposed to untrusted Bluetooth devices or that are used by non-administrative users. Consider the following best practices:

  • Use Group Policy or MDM to enforce automatic updates with minimal user interaction.
  • Audit Bluetooth device usage and disable the radio via policy when not needed. However, this is a secondary measure—the patch is the only complete mitigation.
  • Monitor for any signs of exploit activity using tools like Microsoft Defender for Endpoint or Windows Event Logs. While no active exploits are known, early detection mitigates risk.
  • If patching immediately is not possible, restrict physical access to workstations and disallow pairing with unknown Bluetooth devices.

Microsoft has not provided a registry-based workaround for this specific vulnerability, so the update is the sole fix. Users should remain vigilant for any future security advisories related to Bluetooth components.

Looking Back: Bluetooth Vulnerabilities in Windows

CVE-2026-45605 is not the first Bluetooth-related privilege escalation flaw in Windows. The history is dotted with similar issues:

  • BlueBorne (2017): A set of eight vulnerabilities affecting Bluetooth implementations across platforms, including Windows. One of them, CVE-2017-8628, allowed remote code execution without user interaction.
  • CVE-2020-1289: An elevation-of-privilege vulnerability in the Windows Bluetooth Service due to improper handling of objects in memory, patched in July 2020.
  • CVE-2021-24094: Another Bluetooth stack memory corruption bug that could lead to privilege escalation, addressed in April 2021.
  • CVE-2022-22011: A vulnerability in how Windows processes Bluetooth data, allowing a local attacker to escalate privileges, fixed in June 2022.

Each of these underscores the persistent challenge of securing low-level wireless protocols. Bluetooth was designed for short-range communication, but its complexity—spanning multiple layers from radio to application profiles—creates a large attack surface. Researchers and malicious actors alike continually probe these stacks for memory safety bugs.

Conclusion

CVE-2026-45605 is a stark reminder that even decades-old technology like Bluetooth still harbors severe security flaws. While the patch is straightforward to apply, the risk is immediate for unpatched systems, especially those in high-value enterprise environments. The attack chain might require local presence, but combined with social engineering or a compromised peripheral, the impact can be catastrophic—complete system takeover.

Microsoft’s swift inclusion of the fix in the June 2026 Patch Tuesday demonstrates a measured response, but the onus remains on users and IT teams to deploy the update without delay. As Bluetooth connectivity becomes even more ubiquitous with the growth of Internet of Things (IoT) devices and smart workspaces, securing the Bluetooth stack will only grow in importance. Stay current with Windows patches and consider disabling unnecessary wireless services to minimize your exposure beyond this particular CVE.