Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library enables an authorized low-privilege user to elevate to higher privileges via a use-after-free condition. The flaw carries a CVSS 7.8 (High) and no public exploit identified at time of analysis, though Microsoft has acknowledged the issue through MSRC. Successful exploitation grants full confidentiality, integrity, and availability impact on the affected host.
Technical ContextAI
The Desktop Window Manager (DWM) is the compositing window manager in Windows that renders desktop visuals (Aero, transparency, live thumbnails) by combining application surfaces via Direct3D. The DWM Core Library exposes kernel-adjacent graphics primitives used by both user-mode shells and privileged rendering paths, making memory-safety bugs in this component a recurring source of elevation-of-privilege CVEs. The root cause is CWE-416 (Use After Free) - an object is freed but a dangling pointer is later dereferenced, allowing an attacker who can groom the heap to substitute attacker-controlled data where a freed object's vtable or function pointer is expected, ultimately redirecting execution flow within a higher-privileged context.
RemediationAI
Apply the patch referenced in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42905 via Windows Update or WSUS as soon as it is available for the affected SKU; the exact KB number and fix build were not provided in the input and should be confirmed against MSRC for each Windows version in scope. As compensating controls until patching completes, restrict interactive and remote desktop logon to trusted administrators (since the bug requires local authenticated execution), enforce attack-surface-reduction rules and Credential Guard to limit the value of a successful elevation, and monitor for unusual child processes spawned by dwm.exe or unexpected token-impersonation events - note that disabling DWM is not a viable workaround as it breaks the Windows desktop shell.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35594
GHSA-6496-48pg-4v8q