ZeroPath at Black Hat USA 2026

Windows Win32k GRFX Race Condition: Quick Look at CVE-2026-33839 Privilege Escalation

A brief summary of CVE-2026-33839, a race condition in the Windows Win32k GRFX subsystem that allows local privilege escalation to SYSTEM. Includes patch details across multiple Windows versions and threat intelligence context.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Windows Win32k GRFX Race Condition: Quick Look at CVE-2026-33839 Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A race condition in the Windows Win32k graphics subsystem quietly opens the door for any authenticated local user to escalate privileges to SYSTEM, requiring no user interaction at all. Patched as part of Microsoft's May 2026 Patch Tuesday, CVE-2026-33839 is a textbook example of why kernel mode synchronization bugs remain one of the most impactful classes of local privilege escalation vulnerabilities on Windows.

Technical Information

The vulnerability resides in the Win32k GRFX subsystem, a kernel mode component responsible for graphics rendering and window management in Windows. The root cause is classified under CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization. A shared resource within the Win32k graphics subsystem is accessed by concurrent execution paths without adequate locking or synchronization primitives, creating a window in which an attacker can corrupt internal kernel state.

CVSS Vector Analysis

The official CVSS 3.1 vector provided by Microsoft is:

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

This yields a base score of 7.0 and a temporal score of 6.1. The key metrics break down as follows:

MetricValueImplication
Attack VectorLocalAttacker must have a session on the target machine
Attack ComplexityHighExploitation requires winning a race condition
Privileges RequiredLowAny authenticated local user can attempt exploitation
User InteractionNoneNo social engineering or user action is required
ScopeUnchangedImpact is confined to the vulnerable system
ConfidentialityHighFull data access upon successful exploitation
IntegrityHighFull system modification is possible
AvailabilityHighSystem stability can be completely compromised

Exploitation Flow

Based on the advisory details, the exploitation flow would proceed as follows:

  1. The attacker establishes a local session on the target Windows system using any low privilege account.
  2. The attacker triggers concurrent operations against the vulnerable shared resource within the Win32k GRFX subsystem.
  3. By carefully timing these operations, the attacker attempts to win the race condition, corrupting internal kernel state.
  4. Upon winning the race, the attacker leverages the corrupted state to elevate their execution context to SYSTEM, gaining full control over the machine.

The High attack complexity rating is worth noting. Race conditions are probabilistic by nature; exploitation may require multiple attempts and careful timing. However, the low privilege requirement and absence of any user interaction make this a practical post compromise escalation vector. Once an attacker has any foothold on a multi user Windows system, this vulnerability becomes a viable path to full system control.

Patch Information

Microsoft released an official fix for CVE-2026-33839 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The fix addresses improper synchronization of a shared resource during concurrent execution within the Win32k graphics subsystem, closing the window in which an attacker could win the race to corrupt state and elevate privileges.

The patch was distributed across multiple cumulative updates targeting different Windows versions:

Product(s)KB ArticlePatched Build
Windows 10 v1809 / Server 2019KB508753810.0.17763.8755
Windows 10 v21H2 / v22H2KB508754410.0.19044.7291 / 10.0.19045.7291
Windows 11 v23H2KB508742010.0.22631.7079
Windows 11 v24H2 / v25H2KB5089549 (plus Hotpatch KB5089466)10.0.26100.8457 / 10.0.26200.8457
Windows 11 v26H1KB508954810.0.28000.2113
Windows Server 2022KB5087545 (plus Hotpatch KB5087424)10.0.20348.5139
Windows Server 2022, 23H2 EditionKB508754110.0.25398.2330
Windows Server 2025KB5087539 (plus Hotpatch KB5087423)10.0.26100.32860

For newer platforms (Windows 11 24H2/25H2, Server 2022, and Server 2025), Microsoft also shipped Security Hotpatch Updates (the secondary KB numbers listed above). Hotpatching allows the fix to be applied to the running kernel without requiring a full system reboot, which is particularly useful in server environments where uptime is critical.

Because this is a closed source kernel mode fix within the Win32k driver, no source level diffs or commits are publicly available. The MSRC advisory confirms the Remediation Level as "Official Fix" and marks customer action as Required across all 23 listed product entries. All updates are available through Windows Update and the Microsoft Update Catalog.

Affected Systems and Versions

Based on the patch matrix, the following Windows versions are confirmed affected:

  • Windows 10 version 1809
  • Windows 10 version 21H2
  • Windows 10 version 22H2
  • Windows 11 version 23H2
  • Windows 11 version 24H2
  • Windows 11 version 25H2
  • Windows 11 version 26H1
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2022, 23H2 Edition
  • Windows Server 2025

All builds prior to the patched build numbers listed in the Patch Information section are vulnerable. The MSRC advisory lists 23 distinct product entries requiring the update.

Vendor Security History

Win32k has a long and well documented history as a target for local privilege escalation vulnerabilities on Windows. The kernel mode graphics subsystem has been the subject of numerous CVEs over the years, frequently appearing in Patch Tuesday releases. In the May 2026 cycle alone, Microsoft addressed 137 different vulnerabilities, reflecting the scale of the Windows attack surface. Microsoft's structured monthly patch cadence and role as CNA for its own products demonstrate a mature vulnerability management program, though the recurring nature of Win32k issues underscores the inherent complexity of securing legacy kernel mode components.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization