Introduction
A race condition in the Windows Win32k graphics subsystem quietly opens the door for any authenticated local user to escalate privileges to SYSTEM, requiring no user interaction at all. Patched as part of Microsoft's May 2026 Patch Tuesday, CVE-2026-33839 is a textbook example of why kernel mode synchronization bugs remain one of the most impactful classes of local privilege escalation vulnerabilities on Windows.
Technical Information
The vulnerability resides in the Win32k GRFX subsystem, a kernel mode component responsible for graphics rendering and window management in Windows. The root cause is classified under CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization. A shared resource within the Win32k graphics subsystem is accessed by concurrent execution paths without adequate locking or synchronization primitives, creating a window in which an attacker can corrupt internal kernel state.
CVSS Vector Analysis
The official CVSS 3.1 vector provided by Microsoft is:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
This yields a base score of 7.0 and a temporal score of 6.1. The key metrics break down as follows:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Local | Attacker must have a session on the target machine |
| Attack Complexity | High | Exploitation requires winning a race condition |
| Privileges Required | Low | Any authenticated local user can attempt exploitation |
| User Interaction | None | No social engineering or user action is required |
| Scope | Unchanged | Impact is confined to the vulnerable system |
| Confidentiality | High | Full data access upon successful exploitation |
| Integrity | High | Full system modification is possible |
| Availability | High | System stability can be completely compromised |
Exploitation Flow
Based on the advisory details, the exploitation flow would proceed as follows:
- The attacker establishes a local session on the target Windows system using any low privilege account.
- The attacker triggers concurrent operations against the vulnerable shared resource within the Win32k GRFX subsystem.
- By carefully timing these operations, the attacker attempts to win the race condition, corrupting internal kernel state.
- Upon winning the race, the attacker leverages the corrupted state to elevate their execution context to SYSTEM, gaining full control over the machine.
The High attack complexity rating is worth noting. Race conditions are probabilistic by nature; exploitation may require multiple attempts and careful timing. However, the low privilege requirement and absence of any user interaction make this a practical post compromise escalation vector. Once an attacker has any foothold on a multi user Windows system, this vulnerability becomes a viable path to full system control.
Patch Information
Microsoft released an official fix for CVE-2026-33839 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The fix addresses improper synchronization of a shared resource during concurrent execution within the Win32k graphics subsystem, closing the window in which an attacker could win the race to corrupt state and elevate privileges.
The patch was distributed across multiple cumulative updates targeting different Windows versions:
| Product(s) | KB Article | Patched Build |
|---|---|---|
| Windows 10 v1809 / Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 10 v21H2 / v22H2 | KB5087544 | 10.0.19044.7291 / 10.0.19045.7291 |
| Windows 11 v23H2 | KB5087420 | 10.0.22631.7079 |
| Windows 11 v24H2 / v25H2 | KB5089549 (plus Hotpatch KB5089466) | 10.0.26100.8457 / 10.0.26200.8457 |
| Windows 11 v26H1 | KB5089548 | 10.0.28000.2113 |
| Windows Server 2022 | KB5087545 (plus Hotpatch KB5087424) | 10.0.20348.5139 |
| Windows Server 2022, 23H2 Edition | KB5087541 | 10.0.25398.2330 |
| Windows Server 2025 | KB5087539 (plus Hotpatch KB5087423) | 10.0.26100.32860 |
For newer platforms (Windows 11 24H2/25H2, Server 2022, and Server 2025), Microsoft also shipped Security Hotpatch Updates (the secondary KB numbers listed above). Hotpatching allows the fix to be applied to the running kernel without requiring a full system reboot, which is particularly useful in server environments where uptime is critical.
Because this is a closed source kernel mode fix within the Win32k driver, no source level diffs or commits are publicly available. The MSRC advisory confirms the Remediation Level as "Official Fix" and marks customer action as Required across all 23 listed product entries. All updates are available through Windows Update and the Microsoft Update Catalog.
Affected Systems and Versions
Based on the patch matrix, the following Windows versions are confirmed affected:
- Windows 10 version 1809
- Windows 10 version 21H2
- Windows 10 version 22H2
- Windows 11 version 23H2
- Windows 11 version 24H2
- Windows 11 version 25H2
- Windows 11 version 26H1
- Windows Server 2019
- Windows Server 2022
- Windows Server 2022, 23H2 Edition
- Windows Server 2025
All builds prior to the patched build numbers listed in the Patch Information section are vulnerable. The MSRC advisory lists 23 distinct product entries requiring the update.
Vendor Security History
Win32k has a long and well documented history as a target for local privilege escalation vulnerabilities on Windows. The kernel mode graphics subsystem has been the subject of numerous CVEs over the years, frequently appearing in Patch Tuesday releases. In the May 2026 cycle alone, Microsoft addressed 137 different vulnerabilities, reflecting the scale of the Windows attack surface. Microsoft's structured monthly patch cadence and role as CNA for its own products demonstrate a mature vulnerability management program, though the recurring nature of Win32k issues underscores the inherent complexity of securing legacy kernel mode components.



