Microsoft has acknowledged a new elevation-of-privilege (EoP) vulnerability, tracked as CVE-2026-45640, affecting the Windows Bluetooth Port Driver. Disclosed through the Microsoft Security Response Center (MSRC) portal, this flaw sits in the kernel-level Bluetooth stack, allowing an authenticated attacker to escalate privileges to SYSTEM. The advisory classifies the vulnerability as local escalation, but given Bluetooth’s hybrid wireless/local attack surface, the risk extends beyond physical access alone.

Elevation-of-privilege bugs are among the most sought-after vulnerabilities in the exploit ecosystem. An attacker who has already gained a foothold—via phishing, malware, or another exploit—can weaponize CVE-2026-45640 to disable security services, install persistent backdoors, or exfiltrate sensitive data. SYSTEM access grants unrestricted control over the compromised machine, making this a critical patch priority for IT administrators and home users alike.

Understanding the Vulnerability: Bluetooth Port Driver Under Fire

The Windows Bluetooth Port Driver (bthport.sys) mediates communication between the Bluetooth hardware radio and the higher-level driver stack. It handles packet assembly, fragmentation, and transmission over the HCI (Host Controller Interface). As a kernel-mode driver, any code execution in its context runs with the highest privilege level.

CVE-2026-45640 resides in how the driver processes certain malformed or specially crafted input. While Microsoft has not published the complete technical analysis, typical driver EoP vulnerabilities stem from:

  • Buffer overflows: Improper bounds checks when copying data between user mode and kernel mode.
  • Race conditions: Timing gaps during asynchronous I/O operations that lead to use-after-free or NULL pointer dereference.
  • Improper validation: Failure to sanitize parameters from user-supplied IOCTL (DeviceIoControl) requests.

An attacker who understands the vulnerable code path can craft a sequence of Bluetooth-related system calls that trigger the flaw, eventually overwriting kernel memory to elevate their token’s privilege level. Because Bluetooth drivers are often loaded even when no adapter is present—as part of the default Windows driver set—systems without any Bluetooth hardware may still be vulnerable if the driver is installed.

Affected Platforms and Scope

Microsoft hasn’t publicly enumerated all affected versions at the time of writing, but based on historical patterns and the nature of the Bluetooth Port Driver, a broad range of Windows editions are likely impacted:

  • Windows 11 (all editions, including 24H2 and older builds)
  • Windows 10 (1607 through 22H2)
  • Windows Server 2022, 2019, and possibly 2016

Embedded and IoT editions that include the Bluetooth stack are also potential targets. The attacker’s required privileges are typically those of a standard authenticated user, lowering the barrier after initial compromise. The vulnerability does not require the user to be an administrator, which is what makes it an elevation-of-privilege risk.

Crucially, the attack surface is not limited to environments with Bluetooth adapters. The driver can be loaded even without active hardware, so disabling Bluetooth in Device Manager does not guarantee protection. The only reliable defense is patching.

How an Attack Unfolds

Most EoP attacks involving kernel drivers follow a multi‑step chain:

  1. Initial Access: The attacker gains user-level code execution through malware, a malicious script, or exploitation of a separate remote code execution vulnerability.
  2. Reconnaissance: The attacker enumerates installed drivers and system versions to determine if CVE-2026-45640 is exploitable.
  3. Triggering the Flaw: Using a crafted proof-of-concept (PoC), the attacker sends specifically formatted IOCTL calls to the Bluetooth driver. These calls manipulate kernel memory in ways not intended by the developers.
  4. Privilege Escalation: Successful exploitation overwrites the security descriptor of the attacker’s process or modifies the access token, granting SYSTEM integrity level.
  5. Post‑Exploitation: With SYSTEM access, the attacker can disable Windows Defender, install rootkits, harvest credentials, and move laterally across the network.

Because the Bluetooth Port Driver operates in the kernel, a crash during exploitation may trigger a Blue Screen of Death (BSOD), alerting users. However, sophisticated attackers often test their exploits extensively to avoid crashing the system.

Patch Availability and Deployment

Microsoft has released security updates addressing CVE-2026-45640 as part of its regular Patch Tuesday cycle. The exact KB numbers vary by operating system version. IT administrators should consult the official MSRC Security Update Guide for the definitive list of patches:

For managed environments, updates can be deployed through Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business. Home users should navigate to Settings > Windows Update and manually check for updates.

Microsoft assigns a severity rating based on the attack vector and complexity. While the exact CVSS score for CVE-2026-45640 isn’t disclosed here, typical local privilege escalation flaws in kernel drivers are rated High (7.0–8.8) due to low attack complexity and high impact on confidentiality, integrity, and availability.

Mitigation Strategies for Unpatched Systems

Until patches can be applied, organizations can reduce risk with several defensive measures:

Restrict Access to IOCTLs

IOCTL requests are the primary vector for kernel driver exploitation. Applying granular access controls to the Bluetooth device object can limit unauthorized interaction. Using tools like OSR’s DeviceTree or Process Monitor, administrators can identify the symbolic link to the Bluetooth driver and modify its discretionary access control list (DACL) to deny write access to non‑privileged users. This is an advanced workaround and should be tested thoroughly, as it may break Bluetooth functionality.

Disable Bluetooth When Not Needed

While the driver may still be loaded, disabling the Bluetooth radio through Windows settings and preventing driver loading via Group Policy can reduce exposure. For critical systems that never require Bluetooth, consider:

  • Removing the Bluetooth hardware radio (if possible).
  • Uninstalling the Bluetooth driver entirely from Device Manager (right‑click the Bluetooth adapter → Uninstall device → delete driver software).
  • Using Windows Defender Application Control (WDAC) to block the driver binary (bthport.sys) from loading.

Apply the Principle of Least Privilege

Since the vulnerability requires authenticated user access, operating users with standard privileges—not local administrator—slows down most attack chains. Combined with tools like LAPS (Local Administrator Password Solution) and Privileged Access Workstations (PAW), the overall attack surface shrinks.

Enable Enhanced Security Features

  • Credential Guard and Virtualization-Based Security (VBS): These technologies isolate sensitive processes, making it harder for an attacker to extract credentials even after successful elevation.
  • Exploit Protection: Use Windows Exploit Protection (part of Windows Security) to enforce DEP, ASLR, and Control Flow Guard (CFG) for the Bluetooth driver. While not foolproof, these mitigations increase the cost of exploit development.
  • Memory Integrity (HVCI): Hypervisor‑enforced Code Integrity prevents unsigned or malicious code from executing in kernel mode. It can stymie many memory corruption exploits, though not all.

Long‑Term Defense: Hardening the Bluetooth Stack

CVE-2026-45640 is not an isolated incident. Bluetooth drivers, bridging wireless protocols and kernel space, remain a persistent attack surface. Microsoft has been gradually refactoring driver frameworks to isolate peripherals from the core kernel, but legacy code persists. Security-minded organizations should adopt a proactive posture:

  • Audit Bluetooth usage: Account for every device that includes or connects via Bluetooth. Unneeded radios should be physically removed or permanently disabled in firmware.
  • Driver inventory and risk scoring: Use tools like Microsoft Defender for Endpoint’s Threat & Vulnerability Management to identify outdated or vulnerable drivers across the estate.
  • Network segmentation: Treat Bluetooth as an untrusted network; isolate Bluetooth‑enabled devices on separate VLANs where possible. Bluetooth gateways should not bridge directly into sensitive segments without strong authentication.
  • User awareness: Educate users about leaving Bluetooth active in public places. A local attacker who pairs a rogue device could potentially trigger driver vulnerabilities without any user interaction in some scenarios.

How to Verify Patch Installation

After applying updates, confirming that the vulnerable Bluetooth driver has been replaced is straightforward:

  1. Open an elevated Command Prompt or PowerShell.
  2. Run the following command to query the version of bthport.sys:
    powershell Get-Item C:\Windows\System32\drivers\bthport.sys | Select-Object VersionInfo
  3. Compare the version number with the patched version listed in the security update article for your OS. For Windows 11 24H2, the patched version might be 10.0.26100.xxxx; for Windows 10 22H2, it could be 10.0.19041.xxxx (exact versions will vary by release).
  4. Reboot the system if the driver was replaced.

Alternatively, Microsoft’s built‑in Windows Update history shows all installed security updates. Look for the KB article number associated with the CVE.

Threat Intelligence and Real‑World Exploitation

At the time of disclosure, Microsoft reported no active exploitation in the wild for CVE-2026-45640. However, history shows that functional exploits for EoP vulnerabilities in widely distributed drivers often appear within days of a patch release. Adversarial groups reverse‑engineer the binary diff between the vulnerable and patched driver to develop working PoCs.

The Bluetooth Driver attack surface has been targeted before:

  • BlueBorne (2017): A set of eight vulnerabilities in Bluetooth implementations across platforms, allowing remote code execution and man‑in‑the‑middle attacks.
  • CVE-2023-23397 (2023): An EoP in the Windows Bluetooth driver caused by improper handling of server‑side request forgery.
  • Multiple IOCTL‑based EoP flaws: Over the years, security researchers have found dozens of driver bugs in Wi‑Fi, Bluetooth, and other kernel components that enable local privilege escalation.

Attackers often chain CVE-2026-45640 with a remote code execution (RCE) vulnerability to achieve end‑to‑end compromise from a single email or web page. Therefore, patching both the initial access vector and this EoP is critical.

The Broader Patch Tuesday Context

Microsoft’s monthly security releases typically bundle fixes for tens of vulnerabilities across its product range. Administrators must evaluate the entire set of CVEs, weighing exploitability, impact, and environmental factors. CVE-2026-45640 should be prioritized in scenarios where:

  • Bluetooth is enabled on systems that process sensitive data.
  • Users operate with local administrator rights (increasing the damage an initially compromised user can inflict).
  • The device is used in multi‑user environments (e.g., Remote Desktop Servers, kiosks) where user boundaries matter.

For organizations deploying defense‑in‑depth, integrating the patch into your standard configuration baseline ensures that re‑imaged machines immediately receive the fix. Use tools like Microsoft Defender for Endpoint’s security update assessment to identify stragglers.

Looking Ahead: Microsoft’s Driver Security Initiatives

Microsoft has acknowledged the systemic risk posed by kernel drivers. Under the Secure Future Initiative (SFI), the company is moving towards reducing the number of trusted kernel‑mode components. Future Windows releases are expected to migrate more driver functionality to user mode, where even a successful exploit does not automatically grant SYSTEM access.

In the near term, the Driver Blocklist (enforced via Windows Defender Application Control and memory integrity) prevents known vulnerable drivers from loading. Microsoft can quickly add the specific vulnerable version of bthport.sys to this blocklist if in‑the‑wild exploits emerge, providing an extra layer of protection even before patches are fully deployed.

CVE-2026-45640 serves as another reminder that local elevation‑of‑privilege may lack the headline‑grabbing impact of remote code execution, but it often completes the kill chain. Patching it promptly is the most effective countermeasure.

For the most up‑to‑date information, always refer to the official MSRC advisory and the relevant security update guide.