Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local authenticated attacker (AV:L/PR:L) with no user interaction and a reliable kernel UAF granting SYSTEM produces full C/I/A impact in an unchanged scope.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Win32K (the kernel-mode GUI subsystem) allows an authenticated local user to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of supported builds spanning Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025, including Server Core installations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already have authenticated local code-execution on the target (CVSS PR:L, AV:L): they must be able to run an arbitrary process as a standard/low-privileged user and invoke the vulnerable Win32K system-call path - there is no remote or network-facing exposure and no default-configuration remote risk. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H yields a base score of 7.8 (High): local attack vector, low complexity, low privileges required, no user interaction, and full high impact to confidentiality, integrity, and availability within an unchanged scope - the classic profile of a reliable local EoP that grants SYSTEM. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already gained a low-privileged foothold - via phishing, a compromised service account, or a malicious insider - runs a crafted program that issues Win32K system calls to trigger the use-after-free, corrupting kernel memory to overwrite a process token or hijack execution and elevate to SYSTEM. No public exploit is identified at time of analysis, but the low attack complexity (AC:L) and no-user-interaction (UI:N) profile make a reliable local exploit plausible once code is developed. |
| Remediation | Patch available per vendor advisory: apply the Microsoft security update for CVE-2026-54114 from the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54114, selecting the cumulative update / KB matching each affected Windows 10, Windows 11, or Windows Server build (the exact fixed build number is listed per SKU in that advisory; no standalone fix-version string was supplied in the input, so consult MSRC directly). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and inventory all Windows 10 (build 1809+), Windows 11, and Windows Server 2019-2025 systems to assess exposure and prioritize based on user access and data sensitivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Windows 10 Version 1809
View allLocal privilege escalation in Microsoft Active Directory Federation Services (AD FS) lets an already-authenticated low-p
Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-leve
Local privilege escalation in the Windows Win32K kernel subsystem (CWE-122 heap-based buffer overflow) lets an already-a
Local privilege escalation in the Windows Kernel lets an already-authenticated attacker corrupt kernel memory via a use-
Local code execution in the Windows DHCP Client service stems from a use-after-free (CWE-416) memory-corruption flaw aff
Local code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and s
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated network attacker to run arbitr
Elevation of privilege in the Windows NTFS file-system driver lets an already-authenticated local user escalate to SYSTE
Local code execution in the Windows Media component of supported Windows 10, Windows 11, and Windows Server (2016 throug
Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating
Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthoriz
Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44016
GHSA-p9pr-jc27-p43x