Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper access control in Windows Event Logging Service allows an authorized attacker to elevate privileges locally.
AnalysisAI
Windows Event Logging Service privilege escalation allows local authenticated attackers with low-level privileges to gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2012+ environments. The vulnerability requires no user interaction and has low attack complexity (AC:L), making exploitation straightforward once initial access is obtained. Microsoft has released patches via their March 2026 security updates, and exploitation requires only standard user credentials on vulnerable systems. CVSS 7.8 HIGH severity with complete compromise of confidentiality, integrity, and availability upon successful exploitation.
Technical ContextAI
The Windows Event Logging Service (EventLog) is a core operating system component responsible for centralized logging and event management across Windows platforms. This vulnerability stems from improper access control (CWE-284), a weakness where the service fails to properly restrict operations on critical resources or objects. The flaw allows low-privileged users to manipulate service internals or invoke privileged operations without proper authorization checks. Given the EventLog service typically runs with SYSTEM privileges and has deep integration with kernel-mode components and security subsystems, improper access control creates a direct pathway from low-privilege user context to administrative control. The affected CPE strings indicate widespread impact across all supported Windows client and server versions from Windows 10 1607 (released 2016) through the latest Windows 11 26H1 preview builds and Windows Server 2012 deployments still in extended support.
RemediationAI
Apply the vendor-released security updates from Microsoft's March 2026 Patch Tuesday release immediately, prioritizing domain controllers, privileged access workstations, and internet-facing systems with interactive user access. Download patches through Windows Update, WSUS, or Microsoft Update Catalog referencing CVE-2026-33834 and associated KB articles listed in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33834. For environments unable to patch immediately, implement compensating controls including restricting interactive logon rights to only essential personnel (remove local user accounts from workstations, enforce domain-only authentication), deploying application whitelisting to prevent unauthorized executable launch from user contexts, enabling Windows Event Log forwarding with tamper-protection to detect exploitation attempts, and monitoring for unusual service account activity or privilege use events (Event IDs 4672, 4673, 4674). Note that disabling the Event Logging Service is NOT viable as it breaks fundamental Windows functionality including security auditing and application compatibility. Compensating controls provide only partial risk reduction and should be considered temporary measures pending full patch deployment.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29581
GHSA-g982-rv37-97r8