Introduction
A use after free condition in the Windows kernel mode graphics subsystem just gave every standard user account a potential path to SYSTEM privileges. CVE-2026-33840, disclosed during Microsoft's May 2026 Patch Tuesday, targets the Win32K ICOMP compositor component and affects Windows 11 versions 24H2 through 26H1 as well as Windows Server 2025, covering a significant portion of the modern Windows enterprise footprint.
Technical Information
Root Cause: Use After Free in Win32K ICOMP
CVE-2026-33840 is classified under CWE-416 (Use After Free). The vulnerability resides in the Win32K ICOMP component, which is the internal compositor path within the Windows kernel mode graphics driver. Use after free conditions arise when a program continues to reference a pointer after the underlying memory has been deallocated. If an attacker can influence the contents of the freed memory region before the dangling pointer is dereferenced, they can redirect execution flow and achieve arbitrary code execution in kernel mode.
CVSS Breakdown
The CVSS 3.1 vector string is:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
This yields a base score of 7.8 and a temporal score of 6.8. The key parameters:
- Attack Vector (Local): The attacker must have local access to the target system.
- Attack Complexity (Low): No special conditions or race windows are required.
- Privileges Required (Low): A standard, unprivileged user account is sufficient.
- User Interaction (None): No victim action is needed to trigger the exploit.
- Impact (High across all three pillars): Successful exploitation results in SYSTEM level access, meaning complete compromise of confidentiality, integrity, and availability.
Attack Flow
Based on the vulnerability characteristics, the exploitation path would follow this sequence:
- Initial Access: The attacker obtains a low privilege local session on a vulnerable Windows system, whether through compromised credentials, phishing, or another initial access vector.
- Trigger the Free: The attacker manipulates GDI or windowing objects in a way that causes the Win32K ICOMP compositor to free a kernel object prematurely.
- Reclaim Freed Memory: Using heap spraying or other kernel pool manipulation techniques, the attacker fills the freed memory region with controlled data, effectively replacing the original object with a crafted payload.
- Dereference the Dangling Pointer: When the Win32K driver subsequently accesses the now freed (and attacker controlled) memory through the stale pointer, it operates on the attacker's data.
- Privilege Escalation: The corrupted object allows the attacker to execute arbitrary code in kernel mode, elevating from a standard user to SYSTEM privileges.
Because the component is the internal compositor path ("ICOMP"), the vulnerable code path likely involves how graphical or windowing objects are tracked during composition operations.
Patch Information
Microsoft released the official fix on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The Remediation Level is marked as Official Fix, and customer action is listed as Required for all affected products. No workarounds or temporary mitigations are available.
The fix is distributed as cumulative security updates across the following Knowledge Base articles:
| Product | Architecture | KB (Security Update) | KB (Hotpatch) | Fixed Build |
|---|---|---|---|---|
| Windows 11 Version 26H1 | x64, ARM64 | KB5089548 | N/A | 10.0.28000.2113 |
| Windows 11 Version 24H2 | x64, ARM64 | KB5089549 | KB5089466 | 10.0.26100.8457 |
| Windows 11 Version 25H2 | x64, ARM64 | KB5089549 | KB5089466 | 10.0.26200.8457 |
| Windows Server 2025 (incl. Server Core) | x64 | KB5087539 | KB5087423 | 10.0.26100.32860 |
Hotpatch availability: For Windows 11 24H2, 25H2, and Windows Server 2025, Microsoft offers a Security Hotpatch option alongside the traditional cumulative update. Hotpatching applies the fix in memory without requiring a reboot, which is particularly valuable for server workloads where uptime is critical.
Version boundaries from CVE.org confirm exactly which builds are vulnerable. For example, Windows 11 24H2 is affected from build 10.0.26100.0 up to (but not including) 10.0.26100.8457. Any system running a build number at or above the fixed threshold is patched.
To apply the fix, administrators should install the appropriate KB update via Windows Update, WSUS, or the Microsoft Update Catalog.
Detection Methods
Snort IDS/IPS Signatures
Cisco Talos published Snort rules targeting CVE-2026-33840 as part of the Snort Subscriber Rules Update released on May 12, 2026:
- Snort 2: GID 1, SIDs 66442 through 66443
- Snort 3: GID 1, SID 301496
These rules fall within the os-windows rule set category and are designed to detect exploitation attempts targeting the use after free condition in the Win32K ICOMP subsystem. Organizations running Snort should ensure they have an active Snort Subscriber Ruleset subscription and that their rulesets are updated to include the May 12, 2026 release.
It is worth noting that because this is a local elevation of privilege vulnerability (attack vector is Local), the Snort rules would most likely be effective in scenarios where network observable traffic is associated with an exploitation chain, for example, if a remote access payload is used to deliver and trigger the local exploit.
Behavioral Detection Guidance
Beyond network level Snort signatures, defenders should monitor for the following:
- Windows Event Logs: Watch for unexpected SYSTEM level process creation by low privilege users. Security Event ID 4672 (Special privileges assigned to new logon) from unusual parent processes may indicate successful exploitation.
- Crash Telemetry: Failed exploitation of use after free conditions in Win32K often results in kernel mode crashes (BSODs). Monitoring for BugCheck codes related to Win32K (such as those referencing
win32kfull.sysorwin32kbase.sys) on endpoints can help identify failed exploitation attempts. - EDR Telemetry: Since Microsoft rates this vulnerability as "Exploitation More Likely," EDR solutions with kernel level telemetry should be configured to alert on suspicious GDI/Win32K object manipulation patterns.
No standalone indicators of compromise (file hashes, IP addresses, or domain based IoCs) have been publicly released for this vulnerability as of the advisory date.
Affected Systems and Versions
The following Windows versions are confirmed vulnerable:
- Windows 11 Version 24H2 (x64 and ARM64): builds from
10.0.26100.0up to (but not including)10.0.26100.8457 - Windows 11 Version 25H2 (x64 and ARM64): builds from
10.0.26200.0up to (but not including)10.0.26200.8457 - Windows 11 Version 26H1 (x64 and ARM64): builds up to (but not including)
10.0.28000.2113 - Windows Server 2025 (x64, including Server Core installation): builds up to (but not including)
10.0.26100.32860
With Windows 11 commanding over 70 percent of the Windows desktop market share as of April 2026, and Windows overall holding approximately 79 percent of the global desktop OS market, the exposure surface is significant.
Vendor Security History
The May 2026 Patch Tuesday release included 137 Microsoft CVEs, with 13 issues marked as "Exploitation More Likely." Another source noted 120 flaws with no zero days disclosed during this specific month. Win32K has historically been a frequent target for privilege escalation research, given its large attack surface as a kernel mode component handling user mode graphics requests. Microsoft operates bug bounty programs offering up to $250,000 for Endpoint and On Premise vulnerability discoveries through the Microsoft Security Response Center.
References
- MSRC Advisory: CVE-2026-33840
- NVD Entry: CVE-2026-33840
- CVE.org Record: CVE-2026-33840
- BleepingComputer: Microsoft Patch Tuesday May 2026 Report
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Splashtop: May 2026 Patch Tuesday, 137 CVEs to Prioritize
- Cisco Talos: Microsoft Patch Tuesday May 2026
- Snort Subscriber Rules Update (May 2026)
- SANS Internet Storm Center: Microsoft May 2026 Patch Tuesday
- Microsoft Security Update Guide
- Microsoft Bounty Programs
- KB5089548 (Windows 11 26H1)
- KB5089549 (Windows 11 24H2/25H2)
- KB5089466 (Hotpatch for Windows 11 24H2/25H2)
- KB5087539 (Windows Server 2025)
- KB5087423 (Hotpatch for Windows Server 2025)
- Microsoft Update Catalog



