The flaws threatened the security of over 30 versions of desktop and server operating systems
As part of its January security update, software giant Microsoft has patched two previously unknown vulnerabilities in the NTFS file system driver—a critical component of modern Windows operating systems responsible for file storage and retrieval on hard drives and SSDs. The flaws were identified by Sergey Tarasov, a specialist at the Positive Technologies Expert Security Center (PT ESC), and reported to the developer under a responsible disclosure policy. Prior to the fix, exploitation of these vulnerabilities could have compromised personal or corporate devices by granting attackers full control over the OS1.
1 Hypothetical exploitation of one of the two patched vulnerabilities required malicious code to be pre-loaded onto the target device.
Patches have been released for 37 vulnerable operating systems, including Windows 10, 11, Server 2019, Server 2022, and Server 20252. Among the affected desktop systems, Windows 11 is the most widely used: according to the analytics platform StatCounter, 51% of Microsoft's desktop users were on Windows 11 as of December 2025. In the server segment, Windows Server ranks as the second most popular globally, according to Fortune Business Insights.
The two security gaps in the ntfs.sys system file, which manages the NTFS file system, were assigned the identifier PT-2026-26903 (CVE-2026-20840). The vulnerability was assigned a CVSS 3.1 score of 7.8, indicating high severity. Classified as a heap-based buffer overflow, this vulnerability allows a potential attacker to write data beyond the allocated memory buffer. In this specific case, the error stemmed from insecure handling of virtual hard disks.
3 The vulnerabilities are registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.
To successfully execute an attack, a threat actor would need access to the system, for instance, through previously installed malware. They could then craft a malicious VHD4 file and force the system to process it, thereby writing arbitrary data into protected memory areas and compromising system integrity.
4 Virtual hard disk.
"Prior to remediation, these vulnerabilities offered a path to privilege escalation, granting the highest level of access within the operating system. With system privileges, an attacker could take complete control of a compromised computer: covertly installing malware, stealing any data, or—in the case of a corporate device—using it as a foothold for further attacks within the local network."
Sergey TarasovHead of Vulnerability Analysis at the Positive Technologies Expert Security Center
Another high-severity vulnerability was fixed in the same component: PT-2026-2727 (CVE-2026-20922, CVSS 3.1 score of 7.8). This heap-based buffer overflow vulnerability was caused by missing validation checks for partition tables within the driver code. A potential attacker could exploit this vulnerability to escalate privileges to the maximum level (system) in Windows operating systems and execute unauthorized commands, such as viewing confidential information, deleting files, or installing arbitrary software, including malware. PT ESC incident response experience indicates that exploiting vulnerabilities like PT-2026-2727 can, beyond posing a threat to individual users, serve as the initial vector for complex, targeted attacks against organizations, simplifying lateral movement within the infrastructure.
If the Microsoft updates cannot be installed immediately, users should exercise extreme caution with virtual hard disks, particularly by refusing to open VHD files from unverified sources.
Positive Technologies researchers regularly identify security flaws in Microsoft solutions and assist the developer in remediation. This collaboration dates back to 2012, resulting in the joint elimination of 11 vulnerabilities to date.
To spot attacks that might leverage similar flaws, use a vulnerability management platform (for example, MaxPatrol VM). MaxPatrol SIEM can detect pre-exploitation activity related to this vulnerability inside your environment. For layered protection, deploy an EDR solution to block suspicious endpoint behavior. For example, MaxPatrol EDR detects threats across more than 25 operating systems, covering the major versions among the world's top ten most common operating systems, including Windows.
For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.