Data Deduplication Elevation of Privilege Vulnerability in Microsoft Products
CVE-2026-41095

7.8HIGH

Key Information:

Vendor: Microsoft
Status: Windows Server 2012 R2; Windows Server 2012 R2 (server Core Installation); Windows Server 2016; Windows Server 2016 (server Core Installation)
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-41095?

The Data Deduplication component in affected Microsoft systems has a vulnerability that allows an authorized attacker to exploit a use-after-free condition. By carefully orchestrating interactions with the system, a malicious actor may gain elevated privileges, enabling them to execute arbitrary code or access restricted functionalities, posing significant risks to data integrity and system security.

Affected Version(s)

Windows Server 2012 R2 (Server Core installation) x64-based Systems 6.3.9600.0 < 6.3.9600.23181

Windows Server 2012 R2 x64-based Systems 6.3.9600.0 < 6.3.9600.23181

Windows Server 2016 (Server Core installation) x64-based Systems 10.0.14393.0 < 10.0.14393.9140

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41095 Data

JSON