Skip to main content

Windows Win32K EUVDEUVD-2026-29593

| CVE-2026-34333 HIGH
Use After Free (CWE-416)
2026-05-12 microsoft GHSA-2w3f-wfrh-8q9g
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:33 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
HIGH 7.8

DescriptionCVE.org

Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Win32K graphics subsystem affects Windows 10 (1607 through 22H2), Windows 11 (all versions including 26H1 preview), and Windows Server 2012 through authenticated low-privileged local users exploiting a use-after-free memory corruption flaw. Microsoft has released security updates addressing this CWE-416 vulnerability with CVSS 7.8 severity. The local attack vector and low complexity (AC:L) indicate straightforward exploitation once local access is achieved, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Technical ContextAI

Win32K is Windows' kernel-mode graphics driver subsystem that bridges user-mode GDI operations to kernel graphics rendering. This use-after-free (CWE-416) occurs when the GRFX (graphics) component improperly manages object lifetime, allowing a freed memory region to be referenced again. CPE data identifies impact across Windows 10 versions 1607, 1809, 21H2, 22H2, all Windows 11 releases (22H3, 23H2, 24H2, 25H2, and preview 26H1), plus Windows Server 2012. Use-after-free vulnerabilities in kernel-mode drivers are particularly dangerous because successful exploitation executes attacker-controlled code at SYSTEM privilege level, bypassing user-mode security boundaries. Win32K has historically been a frequent target due to its complexity and exposure to user-mode input.

RemediationAI

Apply Microsoft security updates from the February 2026 Patch Tuesday or subsequent releases as documented in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34333. Organizations should prioritize patching on multi-user systems, terminal servers, and endpoints with elevated lateral movement risk. For systems where immediate patching is not feasible, implement compensating controls including: restrict local logon rights to only trusted administrators via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), deploy Windows Defender Application Control or AppLocker to prevent execution of unsigned binaries that could exploit the vulnerability, enable Attack Surface Reduction rules targeting kernel exploitation techniques, and increase monitoring for unusual privilege escalation activity via Sysmon Event ID 10 (process access) and Windows Security Event 4672 (special privileges assigned). Note that restricting local logon eliminates most realistic attack scenarios but may impact legitimate administrative workflows. Disabling Win32K system calls via process mitigation policies is theoretically possible but will break GUI applications and is not practical for most environments.

Share

EUVD-2026-29593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy