Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Untrusted pointer dereference in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Win32K ICOMP component via untrusted pointer dereference allows low-privileged authenticated users to achieve SYSTEM-level access on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The vulnerability requires local access and low-privilege credentials (PR:L) but no user interaction, with confirmed patch availability from Microsoft. CVSS 7.8 reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at tim
Technical ContextAI
This vulnerability exploits CWE-822 (untrusted pointer dereference) in the Windows Win32K kernel subsystem, specifically within the ICOMP (Image Component Object) processing routines. Win32K is the kernel-mode driver responsible for Windows graphics and windowing functions, operating at ring 0 with full system privileges. Untrusted pointer dereference occurs when kernel code uses a pointer supplied from user-mode without proper validation, allowing attackers to redirect execution flow or manipulate kernel memory structures. In this case, a low-privileged process can supply a malicious pointer to Win32K ICOMP functions, causing the kernel to dereference attacker-controlled memory addresses. The affected products span modern Windows platforms: Windows 11 versions 24H2 (10.0.26100.x), 25H2 (10.0.26200.x), and the insider preview 26H1 (10.0.28000.x), plus Windows Server 2025 including Server Core installations. The vulnerability affects core kernel components used by all graphical applications, making it broadly exploitable across affected installations.
RemediationAI
Apply Microsoft security updates immediately to patch this vulnerability. Vendor-released patches fix the issue in Windows 11 Version 24H2 build 10.0.26100.32690 or later, Windows 11 Version 25H2 build 10.0.26200.8246 or later, Windows 11 Version 26H1 build 10.0.28000.1836 or later, and Windows Server 2025 build 10.0.26100.32690 or later (applies to both standard and Server Core installations). Organizations should deploy patches through Windows Update, WSUS, or enterprise patch management solutions. Consult the official Microsoft advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32222 for specific KB article numbers and deployment guidance. No effective workarounds exist for kernel-level vulnerabilities; patching is the only complete remediation. For systems requiring delayed patching, implement compensating controls including restricting local logon permissions to trusted users only, enabling enhanced security monitoring for unusual privilege escalation attempts via Windows Defender ATP or EDR solutions, and applying principle of least privilege to limit accounts with local interactive logon rights. Additional technical details available through ENISA EUVD-2026-22610 at https://nvd.nist.gov/vuln/detail/CVE-2026-32222.
Same weakness CWE-822 – Untrusted Pointer Dereference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22610
GHSA-249v-qr3v-pf7r