Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Win32K graphics subsystem affects Windows 10 (1607 through 22H2), Windows 11 (all versions including 26H1 preview), and Windows Server 2012 through authenticated low-privileged local users exploiting a use-after-free memory corruption flaw. Microsoft has released security updates addressing this CWE-416 vulnerability with CVSS 7.8 severity. The local attack vector and low complexity (AC:L) indicate straightforward exploitation once local access is achieved, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Technical ContextAI
Win32K is Windows' kernel-mode graphics driver subsystem that bridges user-mode GDI operations to kernel graphics rendering. This use-after-free (CWE-416) occurs when the GRFX (graphics) component improperly manages object lifetime, allowing a freed memory region to be referenced again. CPE data identifies impact across Windows 10 versions 1607, 1809, 21H2, 22H2, all Windows 11 releases (22H3, 23H2, 24H2, 25H2, and preview 26H1), plus Windows Server 2012. Use-after-free vulnerabilities in kernel-mode drivers are particularly dangerous because successful exploitation executes attacker-controlled code at SYSTEM privilege level, bypassing user-mode security boundaries. Win32K has historically been a frequent target due to its complexity and exposure to user-mode input.
RemediationAI
Apply Microsoft security updates from the February 2026 Patch Tuesday or subsequent releases as documented in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34333. Organizations should prioritize patching on multi-user systems, terminal servers, and endpoints with elevated lateral movement risk. For systems where immediate patching is not feasible, implement compensating controls including: restrict local logon rights to only trusted administrators via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), deploy Windows Defender Application Control or AppLocker to prevent execution of unsigned binaries that could exploit the vulnerability, enable Attack Surface Reduction rules targeting kernel exploitation techniques, and increase monitoring for unusual privilege escalation activity via Sysmon Event ID 10 (process access) and Windows Security Event 4672 (special privileges assigned). Note that restricting local logon eliminates most realistic attack scenarios but may impact legitimate administrative workflows. Disabling Win32K system calls via process mitigation policies is theoretically possible but will break GUI applications and is not practical for most environments.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29593
GHSA-2w3f-wfrh-8q9g