ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-33840 Windows Win32K ICOMP Use After Free Privilege Escalation

A short review of CVE-2026-33840, a use after free vulnerability in the Windows Win32K ICOMP component that allows local privilege escalation to SYSTEM. Includes patch details, affected builds, and detection methods using Snort signatures.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-33840 Windows Win32K ICOMP Use After Free Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free condition in the Windows kernel mode graphics subsystem just gave every standard user account a potential path to SYSTEM privileges. CVE-2026-33840, disclosed during Microsoft's May 2026 Patch Tuesday, targets the Win32K ICOMP compositor component and affects Windows 11 versions 24H2 through 26H1 as well as Windows Server 2025, covering a significant portion of the modern Windows enterprise footprint.

Technical Information

Root Cause: Use After Free in Win32K ICOMP

CVE-2026-33840 is classified under CWE-416 (Use After Free). The vulnerability resides in the Win32K ICOMP component, which is the internal compositor path within the Windows kernel mode graphics driver. Use after free conditions arise when a program continues to reference a pointer after the underlying memory has been deallocated. If an attacker can influence the contents of the freed memory region before the dangling pointer is dereferenced, they can redirect execution flow and achieve arbitrary code execution in kernel mode.

CVSS Breakdown

The CVSS 3.1 vector string is:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

This yields a base score of 7.8 and a temporal score of 6.8. The key parameters:

  • Attack Vector (Local): The attacker must have local access to the target system.
  • Attack Complexity (Low): No special conditions or race windows are required.
  • Privileges Required (Low): A standard, unprivileged user account is sufficient.
  • User Interaction (None): No victim action is needed to trigger the exploit.
  • Impact (High across all three pillars): Successful exploitation results in SYSTEM level access, meaning complete compromise of confidentiality, integrity, and availability.

Attack Flow

Based on the vulnerability characteristics, the exploitation path would follow this sequence:

  1. Initial Access: The attacker obtains a low privilege local session on a vulnerable Windows system, whether through compromised credentials, phishing, or another initial access vector.
  2. Trigger the Free: The attacker manipulates GDI or windowing objects in a way that causes the Win32K ICOMP compositor to free a kernel object prematurely.
  3. Reclaim Freed Memory: Using heap spraying or other kernel pool manipulation techniques, the attacker fills the freed memory region with controlled data, effectively replacing the original object with a crafted payload.
  4. Dereference the Dangling Pointer: When the Win32K driver subsequently accesses the now freed (and attacker controlled) memory through the stale pointer, it operates on the attacker's data.
  5. Privilege Escalation: The corrupted object allows the attacker to execute arbitrary code in kernel mode, elevating from a standard user to SYSTEM privileges.

Because the component is the internal compositor path ("ICOMP"), the vulnerable code path likely involves how graphical or windowing objects are tracked during composition operations.

Patch Information

Microsoft released the official fix on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The Remediation Level is marked as Official Fix, and customer action is listed as Required for all affected products. No workarounds or temporary mitigations are available.

The fix is distributed as cumulative security updates across the following Knowledge Base articles:

ProductArchitectureKB (Security Update)KB (Hotpatch)Fixed Build
Windows 11 Version 26H1x64, ARM64KB5089548N/A10.0.28000.2113
Windows 11 Version 24H2x64, ARM64KB5089549KB508946610.0.26100.8457
Windows 11 Version 25H2x64, ARM64KB5089549KB508946610.0.26200.8457
Windows Server 2025 (incl. Server Core)x64KB5087539KB508742310.0.26100.32860

Hotpatch availability: For Windows 11 24H2, 25H2, and Windows Server 2025, Microsoft offers a Security Hotpatch option alongside the traditional cumulative update. Hotpatching applies the fix in memory without requiring a reboot, which is particularly valuable for server workloads where uptime is critical.

Version boundaries from CVE.org confirm exactly which builds are vulnerable. For example, Windows 11 24H2 is affected from build 10.0.26100.0 up to (but not including) 10.0.26100.8457. Any system running a build number at or above the fixed threshold is patched.

To apply the fix, administrators should install the appropriate KB update via Windows Update, WSUS, or the Microsoft Update Catalog.

Detection Methods

Snort IDS/IPS Signatures

Cisco Talos published Snort rules targeting CVE-2026-33840 as part of the Snort Subscriber Rules Update released on May 12, 2026:

  • Snort 2: GID 1, SIDs 66442 through 66443
  • Snort 3: GID 1, SID 301496

These rules fall within the os-windows rule set category and are designed to detect exploitation attempts targeting the use after free condition in the Win32K ICOMP subsystem. Organizations running Snort should ensure they have an active Snort Subscriber Ruleset subscription and that their rulesets are updated to include the May 12, 2026 release.

It is worth noting that because this is a local elevation of privilege vulnerability (attack vector is Local), the Snort rules would most likely be effective in scenarios where network observable traffic is associated with an exploitation chain, for example, if a remote access payload is used to deliver and trigger the local exploit.

Behavioral Detection Guidance

Beyond network level Snort signatures, defenders should monitor for the following:

  • Windows Event Logs: Watch for unexpected SYSTEM level process creation by low privilege users. Security Event ID 4672 (Special privileges assigned to new logon) from unusual parent processes may indicate successful exploitation.
  • Crash Telemetry: Failed exploitation of use after free conditions in Win32K often results in kernel mode crashes (BSODs). Monitoring for BugCheck codes related to Win32K (such as those referencing win32kfull.sys or win32kbase.sys) on endpoints can help identify failed exploitation attempts.
  • EDR Telemetry: Since Microsoft rates this vulnerability as "Exploitation More Likely," EDR solutions with kernel level telemetry should be configured to alert on suspicious GDI/Win32K object manipulation patterns.

No standalone indicators of compromise (file hashes, IP addresses, or domain based IoCs) have been publicly released for this vulnerability as of the advisory date.

Affected Systems and Versions

The following Windows versions are confirmed vulnerable:

  • Windows 11 Version 24H2 (x64 and ARM64): builds from 10.0.26100.0 up to (but not including) 10.0.26100.8457
  • Windows 11 Version 25H2 (x64 and ARM64): builds from 10.0.26200.0 up to (but not including) 10.0.26200.8457
  • Windows 11 Version 26H1 (x64 and ARM64): builds up to (but not including) 10.0.28000.2113
  • Windows Server 2025 (x64, including Server Core installation): builds up to (but not including) 10.0.26100.32860

With Windows 11 commanding over 70 percent of the Windows desktop market share as of April 2026, and Windows overall holding approximately 79 percent of the global desktop OS market, the exposure surface is significant.

Vendor Security History

The May 2026 Patch Tuesday release included 137 Microsoft CVEs, with 13 issues marked as "Exploitation More Likely." Another source noted 120 flaws with no zero days disclosed during this specific month. Win32K has historically been a frequent target for privilege escalation research, given its large attack surface as a kernel mode component handling user mode graphics requests. Microsoft operates bug bounty programs offering up to $250,000 for Endpoint and On Premise vulnerability discoveries through the Microsoft Security Response Center.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization