Skip to main content

Windows Win32K CVE-2026-33840

| EUVDEUVD-2026-29586 HIGH
Use After Free (CWE-416)
2026-05-12 microsoft GHSA-5crp-h3g2-hwww
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:32 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
HIGH 7.8

DescriptionCVE.org

Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.

AnalysisAI

Privilege escalation in Windows Win32K ICOMP component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 via a use-after-free memory corruption flaw. Low-privileged authenticated local attackers can exploit this to gain SYSTEM-level privileges with low attack complexity and no user interaction required. Microsoft has released patches addressing this vulnerability, tracked under MSRC guidance. No active exploitation or public exploit code has been identified at time of analysis, with EPSS data not yet available for this recent CVE.

Technical ContextAI

This vulnerability stems from a use-after-free condition (CWE-416) in the Windows Win32K kernel component, specifically within the ICOMP subsystem. Win32K is the Windows kernel-mode driver responsible for the Windows GUI, handling graphical device interface (GDI) operations, window management, and user interface rendering. Use-after-free vulnerabilities occur when memory is accessed after being freed, allowing attackers to manipulate freed memory regions to redirect program execution flow. The ICOMP component likely handles icon composition or image processing operations within Win32K. This class of kernel memory corruption is particularly dangerous as successful exploitation executes attacker code in kernel context, bypassing user-mode security boundaries. Affected products per CPE data include modern Windows platforms: Windows 11 versions 24H2, 25H2, and 26H1, plus Windows Server 2025 in both full and Server Core installation modes.

RemediationAI

Apply Microsoft-released security updates immediately through Windows Update or enterprise patch management systems. The vendor-released patch is available via Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33840, which provides specific KB article numbers and installation guidance for each affected platform. Prioritize patching internet-facing systems, terminal servers, and jump boxes where local user access is more readily obtained by external attackers. For systems requiring delayed patching, implement compensating controls: restrict local user permissions through least-privilege access controls to minimize the pool of authenticated users who could exploit this (disable local admin rights for standard users), enable Windows Defender Exploit Guard attack surface reduction rules to limit Win32K exposure, and monitor for anomalous privilege escalation attempts via Sysmon Event ID 10 (process access) and Security Event 4672 (special privileges assigned to new logon). Note that restricting Win32K access may impact GUI-dependent applications in terminal server environments. Deploy endpoint detection and response (EDR) solutions configured to alert on kernel memory manipulation patterns and unexpected SYSTEM token assignments to low-privilege processes.

Share

CVE-2026-33840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy