Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to higher privileges on the host by triggering a use-after-free condition. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8 with no public exploit identified at time of analysis. EPSS data was not provided and the issue is not currently listed in CISA KEV.
Technical ContextAI
The Desktop Window Manager (DWM) is the compositing window manager responsible for rendering the Windows desktop, including visual effects, transparency, and per-window buffers. Its Core Library runs with elevated privileges in user-mode and brokers requests from less-privileged graphical clients, making memory-safety defects in this surface a long-standing path to local privilege escalation. The advisory points to a use-after-free (typically CWE-416), where an object is referenced after being freed, allowing an attacker to control the contents at the freed allocation and ultimately influence execution flow within the DWM context; NVD has classified the underlying root cause more broadly as CWE-20 (Improper Input Validation), suggesting the freed-object access is reachable via crafted input from a lower-privileged caller.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44811) on the next patch cycle; the exact fix build numbers were not included in the provided data and should be read directly from the advisory's 'Security Updates' table for each affected Windows SKU. No vendor-supplied workaround was published in the available references, so compensating controls are limited to standard local-EoP hardening: restrict interactive logon and remote desktop access to trusted accounts (reduces who can reach the local attack surface), enforce Credential Guard and LSA protection to limit downstream value of a successful EoP, and ensure EDR rules are tuned to flag anomalous child processes spawning from dwm.exe (may produce noise on systems running graphical automation tools). Disabling DWM is not a viable mitigation on modern Windows because it is required for the composited desktop.
More in Windows 11 26h1
View allRemote code execution in Windows RRAS affects Windows 10 1607 and Windows Server 2022 23h2 through an integer overflow v
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local a
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive e
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the netwo
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables a locally authenticated
Windows Push Notifications on multiple Windows 10, Windows 11, and Windows Server versions exposes sensitive memory cont
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables authenticated local atta
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data w
Privilege escalation in Windows Telephony Service through heap buffer overflow affects Windows 10 1607, Windows 11 25h2,
Remote code execution in Microsoft Remote Desktop Client occurs when a user connects to an attacker-controlled RDP serve
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35747
GHSA-mr6m-hrrm-6262