Skip to main content

Windows Win32K EUVDEUVD-2026-29605

| CVE-2026-34347 HIGH
Use After Free (CWE-416)
2026-05-12 microsoft GHSA-5q64-qmvv-mh4v
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:34 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
HIGH 7.0

DescriptionCVE.org

Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Win32K graphics subsystem (Win32K - GRFX) allows authenticated users with low privileges to achieve SYSTEM-level access through a use-after-free memory corruption vulnerability. Affects multiple Windows 10, Windows 11, and Windows Server 2012 versions. Microsoft has released patches through their March 2026 security updates. The CVSS 7.0 (High) rating reflects high attack complexity (AC:H), requiring specific race condition timing or system state manipulation, though EPSS data is not yet available for this recently disclosed CVE.

Technical ContextAI

The vulnerability resides in the Win32K kernel-mode graphics driver (Win32K.sys), specifically the GRFX (graphics) component responsible for rendering, window management, and GDI operations. CWE-416 (Use After Free) occurs when the driver attempts to access previously freed memory objects during graphics operations, typically triggered through specific sequences of Win32 API calls. Win32K operates in kernel space with SYSTEM privileges, making successful exploitation particularly severe. The affected CPE entries indicate widespread impact across Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2012, suggesting the vulnerable code exists across multiple kernel branches and has persisted through several release cycles.

RemediationAI

Apply Microsoft's security updates released through the March 2026 Patch Tuesday cycle, available via Windows Update, WSUS, or Microsoft Update Catalog. Organizations should prioritize patching systems where local users have access (multi-user workstations, terminal servers, jump hosts) or environments already experiencing security incidents. Install updates from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34347 following standard testing protocols for kernel-level patches. For environments unable to immediately patch, implement compensating controls: restrict local logon rights to essential personnel only through Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), enable Microsoft Defender Application Control (WDAC) or AppLocker to limit execution of unsigned binaries that could serve as exploit delivery mechanisms, and monitor for unusual Win32K.sys-related crashes or privilege changes through Windows Event Logs (Security event IDs 4672, 4673, 4688) and Sysmon. Note that disabling graphics acceleration features may impact user experience and application compatibility, making compensating controls less practical than patching for production systems.

Share

EUVD-2026-29605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy