Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library enables an authenticated low-privileged attacker to gain elevated privileges through a use-after-free memory corruption flaw. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability but requires local access and existing user-level credentials. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
The Desktop Window Manager (DWM) is a core Windows compositing engine that manages window rendering, visual effects, and GPU-accelerated drawing for the desktop shell. The DWM Core Library runs with elevated privileges and is reachable from lower-privileged user sessions, making it a recurring target for local elevation of privilege research. CWE-416 (Use After Free) describes memory corruption where freed heap objects are referenced again, allowing an attacker who can control the reallocated memory contents to hijack control flow, corrupt kernel/user state, or pivot to SYSTEM-level execution depending on the exploited object's role.
RemediationAI
Apply the Microsoft-released security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42983 - the patch is available from the vendor, and exact KB/build numbers for each affected Windows SKU should be retrieved from that page and deployed through Windows Update, WSUS, Intune, or your standard patch-management pipeline. Because the issue requires local authenticated access, compensating controls while patching include restricting interactive and RDP logon rights on sensitive hosts to trusted administrators (limits the PR:L attacker pool but disrupts shared-workstation and helpdesk workflows), enforcing application allowlisting via WDAC or AppLocker to block unsigned local binaries that would deliver the exploit (high deployment effort and may break legitimate tooling), and prioritizing patches on multi-tenant systems such as Citrix, AVD, and RDS hosts where the local-attacker assumption is most realistic.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35752
GHSA-c6qj-462h-v9wg