Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to higher privileges by exploiting a use-after-free memory corruption flaw (CWE-416). The issue was reported by Microsoft's security team (secure@microsoft.com) and tracked via MSRC, with no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact on the local host.
Technical ContextAI
The Desktop Window Manager (DWM) is the compositing window manager responsible for hardware-accelerated rendering of the Windows desktop, window thumbnails, transparency, and visual effects; its Core Library (dwmcore.dll) runs in a privileged context and interacts with kernel graphics subsystems. The flaw is classified as CWE-416 (Use After Free), meaning DWM Core retains and dereferences a pointer to an object whose backing memory has already been released, enabling controlled memory reuse. Because DWM components handle messages and shared graphics objects across security boundaries, a freed-then-reused object can be steered to overwrite function pointers or virtual-table entries to redirect execution into attacker-controlled code paths at elevated privilege. The tag set also references Denial of Service and Memory Corruption, consistent with the typical UAF outcome spectrum (crash vs. controlled hijack).
RemediationAI
Patch available per vendor advisory - apply the Microsoft security update referenced on the MSRC update guide for CVE-2026-44804 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44804) via Windows Update, WSUS, or your preferred patch management channel as soon as your maintenance window permits; the exact fix KB and build numbers should be taken directly from that MSRC page. Because the attack vector is local and requires an authenticated user, compensating controls until patching is complete include restricting interactive logon rights and removing standard users from systems that do not require them, enforcing application allow-listing (WDAC or AppLocker) to prevent execution of untrusted binaries that would deliver the exploit, and tightening EDR detections for anomalous child processes spawned from dwm.exe or unusual handle-table activity against DWM objects - noting that disabling DWM itself is not a viable workaround on modern Windows because the desktop compositor is required for the shell.
More in Windows 11 26h1
View allRemote code execution in Windows RRAS affects Windows 10 1607 and Windows Server 2022 23h2 through an integer overflow v
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local a
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive e
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the netwo
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables a locally authenticated
Windows Push Notifications on multiple Windows 10, Windows 11, and Windows Server versions exposes sensitive memory cont
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables authenticated local atta
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data w
Privilege escalation in Windows Telephony Service through heap buffer overflow affects Windows 10 1607, Windows 11 25h2,
Remote code execution in Microsoft Remote Desktop Client occurs when a user connects to an attacker-controlled RDP serve
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35762
GHSA-4hhf-v394-cmfq