CVE-2026-1995
Published: 24 March 2026
Summary
CVE-2026-1995 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File System Permissions Weakness (T1044); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Restricts standard users from modifying the writable files in C:\ProgramData\IDrive\ used by the elevated id_service.exe, directly preventing injection of arbitrary executable paths.
Requires id_service.exe to validate UTF16-LE encoded file contents as process arguments, rejecting unauthorized or malicious executable paths before launch.
Enforces least privilege on id_service.exe to minimize the privileges available when launching processes from potentially tampered files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak file permissions on user-writable config files read by a SYSTEM service directly enable arbitrary executable launch for privilege escalation.
NVD Description
IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\ProgramData\IDrive\ directory. The UTF16-LE encoded contents of these files are used as arguments for starting a process, but they can be edited by any standard…
more
user logged into the system. An attacker can overwrite or edit the files to specify a path to an arbitrary executable, which will then be executed by the id_service.exe process with SYSTEM privileges.
Deeper analysisAI
CVE-2026-1995 is a privilege escalation vulnerability in IDrive's id_service.exe process, which runs with elevated SYSTEM privileges on Windows systems. The process periodically reads UTF16-LE encoded contents from several files located under the C:\ProgramData\IDrive\ directory and uses those contents as arguments to launch new processes. These files are writable by any standard user logged into the system, allowing an attacker to modify them and specify a path to an arbitrary executable. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with low complexity for local exploitation.
A local attacker with standard user privileges can exploit this vulnerability by overwriting or editing the targeted files in the C:\ProgramData\IDrive\ directory to inject a path to a malicious executable. When id_service.exe next reads the tampered files and launches the specified process, it executes the attacker's payload with full SYSTEM privileges. This grants the attacker complete control over the system, enabling actions such as persistence, lateral movement, data exfiltration, or further privilege escalation.
Mitigation details are provided in advisories from CERT/CC, available at https://kb.cert.org/vuls/id/330121. Security practitioners should consult these resources for vendor-recommended patches, workarounds, or configuration changes to prevent exploitation.
Details
- CWE(s)