CVE-2026-21253
msfs.sys -- use-after-free in Mailslot File System, a rarely-studied kernel attack surface
Summary
| Field | Value |
|---|---|
| Driver | msfs.sys (Mailslot File System) |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | February 11, 2026 |
Context
The Mailslot File System is one of the oldest inter-process communication mechanisms in Windows, predating named pipes and Winsock. msfs.sys implements one-way, unreliable message passing through a file system interface. Despite its age and relative obscurity, the driver runs in kernel mode and processes user-controlled IPC operations, making it a valid local privilege escalation target.
This is the first msfs.sys CVE in the KernelSight corpus, which makes it noteworthy for a different reason: it demonstrates that even rarely-studied kernel components can harbor exploitable bugs. The Mailslot protocol is not commonly targeted by security researchers, which means it has received less scrutiny than high-profile targets like CLFS or win32k. Less scrutiny often means more bugs waiting to be found.
Root Cause
The Mailslot File System driver mismanages object lifetimes during mailslot operations. During a specific sequence of mailslot create, read, and close operations, the driver frees an internal object and then continues to reference it through a stale pointer. The freed object returns to the kernel pool, where the attacker can reclaim the allocation with controlled data through pool spray techniques.
The specific object type and triggering sequence have not been publicly disclosed. Mailslot operations involve server-side mailslot objects (created via CreateMailslot), client-side write operations, and message queue management. The UAF likely involves a race between a read/close operation and the internal message queue cleanup.
Exploitation
The attacker triggers the UAF through crafted mailslot operations. Mailslot creation and message passing are available to any authenticated user. Once the object is freed, heap spraying reclaims the freed slot with controlled data. The stale pointer dereference in msfs.sys then operates on attacker-controlled content, yielding a kernel corruption primitive for SYSTEM escalation.
Exploitation Primitive
Crafted mailslot operation --> UAF --> heap reclaim
--> kernel corruption --> SYSTEM
Broader Significance
CVE-2026-21253 is a reminder that the Windows kernel contains dozens of subsystem drivers beyond the "usual suspects." Security researchers focus on CLFS, win32k, afd.sys, and NTFS because those drivers have produced the most bugs historically. But the same classes of vulnerabilities (UAF, buffer overflow, race conditions) exist in less-studied drivers like msfs.sys, and those drivers may lack the incremental hardening that high-profile targets have received. As the most-studied surfaces become harder to exploit, attackers and researchers alike will expand into these secondary targets.