Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
Articles & Coverage 1
AnalysisAI
Privilege escalation in Windows Win32K ICOMP component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 via a use-after-free memory corruption flaw. Low-privileged authenticated local attackers can exploit this to gain SYSTEM-level privileges with low attack complexity and no user interaction required. Microsoft has released patches addressing this vulnerability, tracked under MSRC guidance. No active exploitation or public exploit code has been identified at time of analysis, with EPSS data not yet available for this recent CVE.
Technical ContextAI
This vulnerability stems from a use-after-free condition (CWE-416) in the Windows Win32K kernel component, specifically within the ICOMP subsystem. Win32K is the Windows kernel-mode driver responsible for the Windows GUI, handling graphical device interface (GDI) operations, window management, and user interface rendering. Use-after-free vulnerabilities occur when memory is accessed after being freed, allowing attackers to manipulate freed memory regions to redirect program execution flow. The ICOMP component likely handles icon composition or image processing operations within Win32K. This class of kernel memory corruption is particularly dangerous as successful exploitation executes attacker code in kernel context, bypassing user-mode security boundaries. Affected products per CPE data include modern Windows platforms: Windows 11 versions 24H2, 25H2, and 26H1, plus Windows Server 2025 in both full and Server Core installation modes.
RemediationAI
Apply Microsoft-released security updates immediately through Windows Update or enterprise patch management systems. The vendor-released patch is available via Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33840, which provides specific KB article numbers and installation guidance for each affected platform. Prioritize patching internet-facing systems, terminal servers, and jump boxes where local user access is more readily obtained by external attackers. For systems requiring delayed patching, implement compensating controls: restrict local user permissions through least-privilege access controls to minimize the pool of authenticated users who could exploit this (disable local admin rights for standard users), enable Windows Defender Exploit Guard attack surface reduction rules to limit Win32K exposure, and monitor for anomalous privilege escalation attempts via Sysmon Event ID 10 (process access) and Security Event 4672 (special privileges assigned to new logon). Note that restricting Win32K access may impact GUI-dependent applications in terminal server environments. Deploy endpoint detection and response (EDR) solutions configured to alert on kernel memory manipulation patterns and unexpected SYSTEM token assignments to low-privilege processes.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29586
GHSA-5crp-h3g2-hwww