Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
AnalysisAI
Race condition in Windows Win32K graphics subsystem enables authenticated local users with low privileges to escalate to SYSTEM-level access on Windows 10 (1607 through 22H2), Windows 11 (all versions through 26H1), and Windows Server 2012. Microsoft has released patches through their monthly security update cycle (MSRC advisory CVE-2026-34331). EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis. The CVSS 7.0 score reflects high attack complexity (AC:H) requiring precise timing to exploit the synchronization flaw, reducing practical exploit reliability compared to simpler privilege escalation vectors.
Technical ContextAI
Win32K is the kernel-mode component of Windows responsible for the Graphics Device Interface (GDI) and windowing system. This vulnerability manifests as CWE-362 (race condition) where concurrent threads access shared graphics resources without proper synchronization primitives (mutexes, semaphores, or atomic operations). The CPE data indicates the flaw exists across multiple Windows generations from legacy Windows 10 1607 (released 2016) through current Windows 11 26H1, suggesting a long-standing architectural weakness in shared memory handling within the GRFX (graphics) subsystem. Race conditions in kernel components like Win32K are particularly dangerous because successful exploitation during the brief window of opportunity allows attackers to manipulate kernel memory structures, bypass security boundaries, and execute code with NT AUTHORITY\SYSTEM privileges.
RemediationAI
Apply the vendor-released patches available through Microsoft's monthly security update cycle by deploying the relevant KB articles listed in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34331. Organizations using Windows Update, WSUS, Configuration Manager, or Intune should prioritize deployment to systems with local user access, especially multi-user environments like terminal servers and developer workstations. If immediate patching is not feasible, implement compensating controls: (1) Restrict local logon rights to trusted users only via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), noting this breaks standard user workflows requiring local access; (2) Enable and monitor Windows Defender Exploit Guard Attack Surface Reduction rules, specifically 'Block Win32 API calls from Office macros' if the attack chain involves macro-delivered payloads; (3) Deploy application control (AppLocker/WDAC) to prevent execution of unauthorized binaries that might exploit the race condition, though this requires significant baseline tuning and may block legitimate software. These mitigations reduce attack surface but do not eliminate the kernel vulnerability-patching remains the definitive remediation.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29590
GHSA-58r5-75pr-v3g7