Skip to main content

Windows DWM Core Library EUVDEUVD-2026-35566

| CVE-2026-45637 HIGH
Use After Free (CWE-416)
2026-06-09 secure@microsoft.com GHSA-g34g-39q4-7286
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:06 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library enables an authorized low-privileged user to gain elevated privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS 3.1 score of 7.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Exploitation requires the attacker to already have local code execution as a standard user, making it a strong candidate for post-compromise chaining toward SYSTEM-level access.

Technical ContextAI

The Desktop Window Manager (DWM) is the compositing window manager in modern Windows operating systems that handles rendering and visual effects, running with elevated privileges to manage GUI composition for all sessions. The DWM Core Library is a core component implicated here, and the underlying flaw is classified as CWE-416 (Use After Free), in which memory is referenced after it has been released back to the allocator. In such conditions, an attacker who can influence the contents of the freed memory region (for example by spraying controlled objects in its place) can hijack object pointers, virtual function tables, or other control structures, ultimately redirecting execution flow inside a process running at higher privilege than the attacker.

RemediationAI

Apply the security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45637 (Patch available per vendor advisory; exact KB and fixed build numbers are listed there per affected Windows SKU). Until patches are deployed, reduce exposure by restricting interactive and remote-desktop logon rights to trusted users, applying the principle of least privilege so that fewer accounts can reach the local prerequisite for exploitation, and ensuring EDR is tuned to detect anomalous child processes or token manipulation originating from dwm.exe; note that disabling DWM is not a viable workaround on supported Windows versions because the modern desktop composition pipeline depends on it and turning it off will break the user-facing GUI.

Share

EUVD-2026-35566 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy