Skip to main content

Windows Win32K EUVDEUVD-2026-29585

| CVE-2026-33839 HIGH
Race Condition (CWE-362)
2026-05-12 microsoft GHSA-3mv2-86j6-x44q
7.0
CVSS 3.1 · NVD
Temporal: 6.1
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.1 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:31 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
HIGH 7.0

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Win32K GRFX component allows authenticated low-privilege users to gain SYSTEM-level access through race condition exploitation. Affects Windows 10 (1809, 21H2, 22H2), Windows 11 (22H3 through 26H1), and Windows Server 2019 including Server Core installations. Microsoft has released patches via their May 2026 security updates. Attack complexity is high (AC:H), requiring precise timing to win the race condition, limiting widespread automated exploitation despite the severe impact on confidentiality, integrity, and availability.

Technical ContextAI

This vulnerability exploits a race condition (CWE-362) in the Windows Win32K Graphics (GRFX) subsystem, a kernel-mode component responsible for rendering graphics and managing windowing operations. Race conditions occur when multiple threads or processes access shared resources without proper synchronization primitives (mutexes, semaphores, critical sections). In Win32K, this likely involves concurrent access to shared graphics objects, device contexts, or kernel memory structures during resource allocation or state transitions. The GRFX subsystem operates at ring 0 (kernel mode), meaning successful exploitation allows attackers to execute code with SYSTEM privileges. The CPE identifiers confirm impact across multiple Windows versions: client OSes from Windows 10 build 1809 through Windows 11 26H1, plus Windows Server 2019 standard and Server Core deployments. The high attack complexity stems from the precise timing requirements inherent to race condition exploitation-attackers must trigger the vulnerable code path and win the race within a narrow window, typically measured in microseconds.

RemediationAI

Apply Microsoft's May 2026 security updates immediately for affected Windows versions via Windows Update, WSUS, or Microsoft Update Catalog (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33839). Prioritize patching for systems where low-privilege users have interactive logon rights-particularly multi-user workstations, jump servers, and development environments. For environments unable to patch immediately, implement compensating controls: restrict interactive logon rights using Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally') to only necessary administrative accounts; enable Windows Defender Exploit Guard's Attack Surface Reduction rules to limit Win32K system call exposure from untrusted processes; deploy Application Control policies (AppLocker or WDAC) to prevent execution of unsigned or untrusted binaries that could serve as race condition triggers. Note that these mitigations add administrative overhead and may break legitimate workflows requiring broad user permissions-test thoroughly before production deployment. Server Core installations require manual patch application via DISM or Windows Update PowerShell module.

Share

EUVD-2026-29585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy