Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library enables an authenticated low-privilege attacker to gain elevated rights through a use-after-free memory corruption flaw. The issue carries a CVSS 7.8 (High) rating with total confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. CISA SSVC scoring marks exploitation as 'none' and not automatable, suggesting limited real-world activity despite the severe technical impact.
Technical ContextAI
The Desktop Window Manager (DWM) is the Windows compositing engine responsible for rendering visual effects, window thumbnails, and the graphical desktop surface; its Core Library runs with elevated rights to mediate between user-mode applications and the GPU/kernel graphics stack. The root cause is CWE-416 (Use After Free), where memory is referenced after being released - in DWM this typically arises when window or surface object lifecycles are mismanaged across compositor callbacks, allowing the freed allocation to be reclaimed with attacker-controlled data before the dangling pointer is dereferenced. Successful exploitation of such UAFs in graphics subsystems is a well-known path to controlling instruction flow at a higher integrity level.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44813 for your specific Windows version; exact fix KB numbers should be obtained from that advisory as they were not included in the source intelligence. Because this is a local privilege escalation, compensating controls focus on limiting initial access: enforce least-privilege user accounts (no standard users running as local admin), restrict interactive logon to trusted endpoints, deploy EDR with detections for DWM process anomalies and unusual child-process creation under dwm.exe, and prioritize patching on multi-user systems such as RDS/Citrix hosts and VDI where many low-privilege users share a host. Disabling DWM is not a viable mitigation on modern Windows because the desktop compositor is integral to the OS shell.
More in Windows 11 26h1
View allRemote code execution in Windows RRAS affects Windows 10 1607 and Windows Server 2022 23h2 through an integer overflow v
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local a
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive e
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the netwo
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables a locally authenticated
Windows Push Notifications on multiple Windows 10, Windows 11, and Windows Server versions exposes sensitive memory cont
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables authenticated local atta
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data w
Privilege escalation in Windows Telephony Service through heap buffer overflow affects Windows 10 1607, Windows 11 25h2,
Remote code execution in Microsoft Remote Desktop Client occurs when a user connects to an attacker-controlled RDP serve
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35761
GHSA-j9m5-7hq3-xx6v