Skip to main content

Windows DWM Core EUVDEUVD-2026-35752

| CVE-2026-42983 HIGH
Use After Free (CWE-416)
2026-06-09 secure@microsoft.com GHSA-c6qj-462h-v9wg
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 18:41 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library enables an authenticated low-privileged attacker to gain elevated privileges through a use-after-free memory corruption flaw. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability but requires local access and existing user-level credentials. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

The Desktop Window Manager (DWM) is a core Windows compositing engine that manages window rendering, visual effects, and GPU-accelerated drawing for the desktop shell. The DWM Core Library runs with elevated privileges and is reachable from lower-privileged user sessions, making it a recurring target for local elevation of privilege research. CWE-416 (Use After Free) describes memory corruption where freed heap objects are referenced again, allowing an attacker who can control the reallocated memory contents to hijack control flow, corrupt kernel/user state, or pivot to SYSTEM-level execution depending on the exploited object's role.

RemediationAI

Apply the Microsoft-released security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42983 - the patch is available from the vendor, and exact KB/build numbers for each affected Windows SKU should be retrieved from that page and deployed through Windows Update, WSUS, Intune, or your standard patch-management pipeline. Because the issue requires local authenticated access, compensating controls while patching include restricting interactive and RDP logon rights on sensitive hosts to trusted administrators (limits the PR:L attacker pool but disrupts shared-workstation and helpdesk workflows), enforcing application allowlisting via WDAC or AppLocker to block unsigned local binaries that would deliver the exploit (high deployment effort and may break legitimate tooling), and prioritizing patches on multi-tenant systems such as Citrix, AVD, and RDS hosts where the local-attacker assumption is most realistic.

Share

EUVD-2026-35752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy