Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to SYSTEM via a use-after-free memory corruption flaw. CVSS 7.8 with high impact to confidentiality, integrity, and availability, but currently no public exploit identified at time of analysis and CISA SSVC rates exploitation status as 'none' with automation as 'no'.
Technical ContextAI
The Desktop Window Manager (DWM) is the compositing window manager in Windows responsible for hardware-accelerated rendering of the desktop, transparency effects, and window thumbnails. Its core library runs with elevated privileges and brokers requests from user-mode applications, making it a recurring target for local privilege escalation research. CWE-416 (Use After Free) indicates the flaw stems from continued reference to a freed memory object, which an attacker can groom and reuse to corrupt kernel or service-level memory structures to gain control of execution flow.
RemediationAI
Patch available per vendor advisory - apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44807 through Windows Update or WSUS for the matching Windows build; exact KB numbers are listed on that MSRC page and should be cited in the change ticket. No vendor-supplied workaround is referenced in the available data, so as a compensating control until patching completes, restrict interactive and remote-desktop logon rights on sensitive hosts to reduce the population of accounts that can supply the required PR:L access, and monitor for crashes or unexpected restarts of the dwm.exe process which can indicate exploitation attempts (side effect: dwm crashes also occur benignly under graphics driver faults, so tune accordingly). Secondary reference at https://vuldb.com/vuln/369644 may provide additional remediation context.
More in Windows 11 26h1
View allRemote code execution in Windows RRAS affects Windows 10 1607 and Windows Server 2022 23h2 through an integer overflow v
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local a
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive e
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the netwo
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables a locally authenticated
Windows Push Notifications on multiple Windows 10, Windows 11, and Windows Server versions exposes sensitive memory cont
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables authenticated local atta
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data w
Privilege escalation in Windows Telephony Service through heap buffer overflow affects Windows 10 1607, Windows 11 25h2,
Remote code execution in Microsoft Remote Desktop Client occurs when a user connects to an attacker-controlled RDP serve
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35749
GHSA-h3xf-v64x-587v