Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
AnalysisAI
Desktop Window Manager (DWM) use-after-free vulnerability enables local privilege escalation to SYSTEM on Windows 11 and Server 2022/2025. Low-complexity attack requires only low-privileged authenticated access with no user interaction, affecting all current Windows 11 versions (22H2 through 26H1) and Server editions. Vendor-released patches available as of May 2026. CVSS 7.8 (High) reflects significant local privilege escalation risk; no public exploit identified at time of analysis, though the
Technical ContextAI
Desktop Window Manager (dwm.exe) is the Windows compositing window manager responsible for visual effects, Aero Glass rendering, and desktop composition since Windows Vista. This vulnerability stems from CWE-416 (Use After Free), a memory corruption class where the DWM process attempts to access previously freed memory objects. Use-after-free conditions in privileged system processes like DWM (which runs with SYSTEM privileges) are particularly dangerous because successful exploitation allows attackers to control freed memory contents and redirect execution flow. The CVSS vector AV:L indicates local access requirement, while PR:L confirms low-privileged authenticated users can trigger the condition. The vulnerability affects the core dwm.exe component across multiple Windows builds, spanning Windows 11 versions 22H2 (build 10.0.22631.x), 23H2, 24H2, 25H2, 26H1 (build 10.0.28000.x), and Windows Server 2022/2025 including Server Core installations. The unscoped (S:U) impact means the vulnerability is contained within the vulnerable component's security context, though given DWM's SYSTEM-level execution, this still represents full system compromise.
RemediationAI
Apply Microsoft security updates immediately to patch the Desktop Window Manager use-after-free vulnerability. Vendor-released patches are available through Windows Update and Microsoft Update Catalog for all affected versions: upgrade Windows 11 22H2/23H2 systems to build 10.0.22631.6936 or later, Windows 11 24H2 and Server 2025 to build 10.0.26100.32690 or later, Windows 11 25H2 to build 10.0.26200.8246 or later, Windows 11 26H1 to build 10.0.28000.1836 or later, Windows Server 2022 to build 10.0.20348.5020 or later, and Windows Server 2022 23H2 Server Core to build 10.0.25398.2274 or later. Organizations should prioritize patching multi-user systems and servers where privilege escalation poses highest risk. No workarounds are documented; patching is the only complete remediation. Refer to the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32152 for deployment guidance and update package downloads. Monitor system logs for unexpected dwm.exe crashes or anomalous behavior that might indicate exploitation attempts.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22537
GHSA-648m-637p-635w