Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library enables an authorized low-privileged user to gain elevated privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS 3.1 score of 7.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Exploitation requires the attacker to already have local code execution as a standard user, making it a strong candidate for post-compromise chaining toward SYSTEM-level access.
Technical ContextAI
The Desktop Window Manager (DWM) is the compositing window manager in modern Windows operating systems that handles rendering and visual effects, running with elevated privileges to manage GUI composition for all sessions. The DWM Core Library is a core component implicated here, and the underlying flaw is classified as CWE-416 (Use After Free), in which memory is referenced after it has been released back to the allocator. In such conditions, an attacker who can influence the contents of the freed memory region (for example by spraying controlled objects in its place) can hijack object pointers, virtual function tables, or other control structures, ultimately redirecting execution flow inside a process running at higher privilege than the attacker.
RemediationAI
Apply the security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45637 (Patch available per vendor advisory; exact KB and fixed build numbers are listed there per affected Windows SKU). Until patches are deployed, reduce exposure by restricting interactive and remote-desktop logon rights to trusted users, applying the principle of least privilege so that fewer accounts can reach the local prerequisite for exploitation, and ensuring EDR is tuned to detect anomalous child processes or token manipulation originating from dwm.exe; note that disabling DWM is not a viable workaround on supported Windows versions because the modern desktop composition pipeline depends on it and turning it off will break the user-facing GUI.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35566
GHSA-g34g-39q4-7286