Vulnerabilities ›

CVE-2026-23667

High

Use after free in Broadcast DVR allows an authorized attacker to elevate privileges locally.

CWE-416 — Weakness Type

                    Published: Mar 10, 2026                      ·  Modified: Mar 17, 2026                      ·  Source: NVD                

CVSS v3

7.0

🔗 NVD Official

📄 Description (English)

Use after free in Broadcast DVR allows an authorized attacker to elevate privileges locally.

🤖 AI Executive Summary

CVE-2026-23667 is a use-after-free vulnerability in Windows Broadcast DVR affecting multiple Windows 10 and 11 versions, allowing authorized local attackers to elevate privileges. With a CVSS score of 7.0 and no public exploit currently available, this represents a moderate-to-high risk requiring prompt patching. The vulnerability requires local access but enables privilege escalation, making it critical for organizations with multi-user systems or shared workstations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 10, 2026 08:02

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi government entities, financial institutions, and corporate environments utilizing Windows 10/11 workstations. Government agencies (NCA, GOSI, MOI) managing multi-user systems face elevated risk of insider privilege escalation. Banking sector (SAMA-regulated institutions, Al Rajhi, Riyad Bank) could experience unauthorized access to sensitive financial systems if workstations are compromised. Healthcare organizations (MOH facilities, private hospitals) managing patient data on affected Windows versions require immediate attention. Telecom operators (STC, Mobily, Zain) and energy sector (ARAMCO, SEC) with Windows-based infrastructure should prioritize patching. The vulnerability is particularly concerning in environments with shared workstations or remote access scenarios common in Saudi organizations.

🏢 Affected Saudi Sectors

Government (NCA, GOSI, MOI) Banking and Financial Services (SAMA-regulated) Healthcare (MOH, Private Hospitals) Energy (ARAMCO, SEC) Telecommunications (STC, Mobily, Zain) Education Corporate/Enterprise

🎯 MITRE ATT&CK Techniques

T1548.004 - Abuse Elevation Control Mechanism: Bypass User Account Control T1548 - Abuse Elevation Control Mechanism T1134 - Access Token Manipulation T1055 - Process Injection T1547 - Boot or Logon Autostart Execution

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all Windows 10 (versions 1809, 21H2, 22H2) and Windows 11 (23H2) systems across your organization

2. Prioritize patching for systems with multiple user accounts or shared access

3. Restrict local access and enforce strong authentication for privileged accounts

4. Monitor for suspicious privilege escalation attempts

PATCHING GUIDANCE:

1. Apply Microsoft security updates immediately when available for affected Windows versions

2. Test patches in non-production environments first

3. Implement phased rollout starting with critical systems (government, banking, healthcare)

4. Ensure Windows Update is configured for automatic security updates

COMPENSATING CONTROLS (if patching delayed):

1. Disable Broadcast DVR service if not required: Services.msc > Windows.Media.Streaming.Service > Disable

2. Implement application whitelisting to restrict execution of DVR-related processes

3. Enforce principle of least privilege - remove unnecessary local admin rights

4. Enable Windows Defender Application Guard for additional isolation

5. Implement Device Guard/Credential Guard on supported systems

DETECTION RULES:

1. Monitor Event Viewer for privilege escalation attempts (Event ID 4688 with elevated token claims)

2. Track Broadcast DVR service crashes or unexpected restarts

3. Alert on unauthorized access to SYSTEM-level resources from user-mode processes

4. Monitor for suspicious memory access patterns in dvr*.dll processes

5. Implement EDR solutions to detect use-after-free exploitation patterns

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع أنظمة Windows 10 (الإصدارات 1809 و 21H2 و 22H2) و Windows 11 (23H2) عبر مؤسستك

2. أعط الأولوية لتصحيح الأنظمة التي تحتوي على حسابات مستخدمين متعددة أو وصول مشترك

3. قيد الوصول المحلي وفرض المصادقة القوية للحسابات المميزة

4. راقب محاولات رفع الامتيازات المريبة

إرشادات التصحيح:

1. طبق تحديثات أمان Microsoft فورًا عند توفرها لإصدارات Windows المتأثرة

2. اختبر التصحيحات في بيئات غير الإنتاج أولاً

3. نفذ طرح مرحلي بدءًا من الأنظمة الحرجة (حكومية وبنكية وصحية)

4. تأكد من تكوين Windows Update للتحديثات الأمنية التلقائية

الضوابط البديلة (إذا تأخر التصحيح):

1. عطل خدمة Broadcast DVR إذا لم تكن مطلوبة: Services.msc > Windows.Media.Streaming.Service > تعطيل

2. طبق قائمة بيضاء للتطبيقات لتقييد تنفيذ العمليات المتعلقة بـ DVR

3. فرض مبدأ أقل امتياز - أزل حقوق المسؤول المحلي غير الضرورية

4. فعّل Windows Defender Application Guard للعزل الإضافي

5. طبق Device Guard/Credential Guard على الأنظمة المدعومة

قواعد الكشف:

1. راقب Event Viewer لمحاولات رفع الامتيازات (معرف الحدث 4688 مع مطالبات الرموز المرفوعة)

2. تتبع أعطال خدمة Broadcast DVR أو إعادة التشغيل غير المتوقعة

3. تنبيه الوصول غير المصرح به إلى موارد مستوى SYSTEM من عمليات وضع المستخدم

4. راقب أنماط الوصول إلى الذاكرة المريبة في عمليات dvr*.dll

5. طبق حلول EDR للكشف عن أنماط استغلال use-after-free

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 - 5.1.1: Access Control and Authentication ECC 2024 - 5.2.1: Privilege Management ECC 2024 - 5.3.1: System Hardening ECC 2024 - 6.1.1: Vulnerability Management

🔵 SAMA CSF

SAMA CSF - ID.AM-2: Software Inventory SAMA CSF - PR.AC-1: Access Control SAMA CSF - PR.PT-3: Least Privilege Implementation SAMA CSF - DE.CM-8: Vulnerability Scanning

🟡 ISO 27001:2022

ISO 27001:2022 - A.5.15: Access Control ISO 27001:2022 - A.8.1: User Endpoint Devices ISO 27001:2022 - A.8.2: Privileged Access Rights ISO 27001:2022 - A.12.6.1: Management of Technical Vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 4.0 - 2.2.4: Configure System Security Parameters PCI DSS 4.0 - 6.2: Ensure Security Patches Installed PCI DSS 4.0 - 7.1: Limit Access to System Components

🔗 References & Sources 1

🔗

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23667

secure@microsoft.com

Vendor Advisory

📦 Affected Products / CPE 16 entries

microsoft:windows_10_1809

microsoft:windows_10_21h2

microsoft:windows_10_22h2

microsoft:windows_11_23h2

microsoft:windows_11_24h2

microsoft:windows_11_25h2

microsoft:windows_11_26h1

📊 CVSS Score

7.0

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityH — High

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.0

CWECWE-416

Exploit No

Patch ✓ Yes

Published 2026-03-10

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-416

🏢 Vendor Advisories

🔗 https://msrc.microsoft.com/update-guide/vulnerabilit...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-23667

💬 Comments

Introduce Yourself

Sign In Required