ZeroPath at Black Hat USA 2026

Windows Kernel CVE-2026-33841: Quick Look at a Heap Overflow Privilege Escalation

A brief summary of CVE-2026-33841, a heap-based buffer overflow in the Windows Kernel that enables local privilege escalation from low integrity to SYSTEM, along with patch details for affected Windows client and server versions.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Windows Kernel CVE-2026-33841: Quick Look at a Heap Overflow Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap overflow in the Windows Kernel, patched during the May 2026 Patch Tuesday cycle, gives any authenticated local user a path from a sandboxed, low integrity process all the way to SYSTEM. With Windows commanding nearly 64 percent of the global desktop market and no workarounds available, CVE-2026-33841 is the kind of local privilege escalation (LPE) that post-exploitation toolkits tend to absorb quickly once patch diffing reveals the root cause.

Technical Information

Root Cause

CVE-2026-33841 is classified under CWE-122: Heap-based Buffer Overflow. The flaw resides somewhere within the Windows Kernel, though Microsoft has not disclosed the specific component or driver involved. Because the kernel is closed source, no source-level diff is available; the fix is delivered as a binary-level patch bundled into cumulative updates.

The CVSS 3.1 vector string is:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Breaking this down:

  • Attack Vector: Local — the attacker must already have code execution on the target.
  • Attack Complexity: Low — no special conditions or race windows are required.
  • Privileges Required: Low — a standard, unprivileged user account is sufficient.
  • User Interaction: None — no victim action is needed.
  • Impact: High across Confidentiality, Integrity, and Availability — full compromise of the local system is achievable.

Integrity Boundary Traversal

The practical impact of this vulnerability centers on Windows Mandatory Integrity Control (MIC) boundaries. An attacker who successfully triggers the heap overflow can escalate from a Low Integrity Level execution context, such as an AppContainer sandbox, to Medium or High Integrity Level. In the most impactful scenario, the attacker achieves SYSTEM level privileges.

This makes CVE-2026-33841 especially relevant in attack chains where an adversary has already achieved initial code execution through a browser exploit, a compromised application, or a phishing payload running inside a sandboxed process. The LPE serves as the bridge from constrained execution to full host control.

Attack Flow

Based on the available technical details, the exploitation path follows a well understood pattern for kernel heap overflows:

  1. The attacker gains initial code execution on the target system with low privileges (e.g., a standard user account or a sandboxed process).
  2. The attacker triggers the heap-based buffer overflow in the Windows Kernel, likely through a crafted system call or IOCTL that passes data exceeding the expected buffer size.
  3. The overflow corrupts adjacent heap metadata or kernel objects, allowing the attacker to gain arbitrary read/write primitives in kernel memory.
  4. The attacker leverages these primitives to overwrite token structures or other security-relevant kernel objects, elevating the process integrity level and effective privileges.
  5. The attacker's process now runs at SYSTEM, with full control over the host.

The exact trigger mechanism (the specific syscall, IOCTL, or kernel path) has not been disclosed in any public advisory. Microsoft's "Exploitation More Likely" assessment suggests that reverse engineering the binary patch could reveal the vulnerable code path with moderate effort.

Exploit Status

At the time of publication, no public exploit or proof of concept exists. The vulnerability was not publicly known prior to the May 2026 Patch Tuesday disclosure, and no active exploitation has been observed. Multiple intelligence sources, including the Zero Day Initiative, BleepingComputer, Tenable, and VulDB, confirm this status. However, the "Exploitation More Likely" designation from Microsoft's Exploitability Index is a strong signal that defenders should not treat the absence of a current exploit as a reason to delay patching.

Patch Information

Microsoft released the official fix for CVE-2026-33841 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level as "Official Fix," meaning a complete vendor solution is available via cumulative security updates distributed through Windows Update, WSUS, and the Microsoft Update Catalog.

The patch corrects the heap-based buffer overflow condition that previously allowed an authenticated local attacker to escalate privileges from a Low Integrity Level (e.g., an AppContainer sandbox) to Medium or High Integrity Level.

The following table summarizes the relevant Knowledge Base articles, patched build numbers, and affected platforms. Administrators should verify their systems are updated to at least these build numbers:

PlatformKB Article(s)Patched Build
Windows 11 Version 26H1 (x64 / ARM64)KB508954810.0.28000.2113
Windows 11 Version 25H2 (x64 / ARM64)KB5089549, KB5089466 (hotpatch)10.0.26200.8457 / 10.0.26200.8390
Windows 11 Version 24H2 (x64 / ARM64)KB5089549, KB5089466 (hotpatch)10.0.26100.8457 / 10.0.26100.8390
Windows 11 Version 23H2 (x64 / ARM64)KB508742010.0.22631.7079
Windows 10 Version 22H2 (32 bit / x64 / ARM64)KB508754410.0.19045.7291
Windows 10 Version 21H2 (32 bit / x64 / ARM64)KB508754410.0.19044.7291
Windows Server 2025 (full and Server Core)KB5087539, KB5087423 (hotpatch)10.0.26100.32860 / 10.0.26100.32772
Windows Server 2022, 23H2 Edition (Server Core)KB508754110.0.25398.2330
Windows Server 2022 (full and Server Core)KB5087545, KB5087424 (hotpatch)10.0.20348.5139 / 10.0.20348.5074

A notable aspect of this rollout is the availability of Security Hotpatch updates for several platforms: Windows Server 2025, Windows Server 2022, and the Windows 11 24H2/25H2 lines. Hotpatch updates apply critical fixes to in-memory code without requiring an immediate reboot, which is particularly valuable for server environments where uptime is a priority. The hotpatch KBs (e.g., KB5087423, KB5089466, KB5087424) target slightly earlier build numbers than their full reboot counterparts, but both paths remediate the vulnerability.

All 19 product entries listed in the MSRC advisory carry a customer action status of "Required," underscoring that automated update delivery alone may not be sufficient. Administrators should actively verify deployment. Microsoft has explicitly stated that no workarounds or alternative mitigations exist for this vulnerability.

Affected Systems and Versions

The following Windows client and server operating systems are confirmed vulnerable:

  • Windows 10 Version 21H2 (32 bit, x64, ARM64)
  • Windows 10 Version 22H2 (32 bit, x64, ARM64)
  • Windows 11 Version 23H2 (x64, ARM64)
  • Windows 11 Version 24H2 (x64, ARM64)
  • Windows 11 Version 25H2 (x64, ARM64)
  • Windows 11 Version 26H1 (x64, ARM64)
  • Windows Server 2022 (full installation and Server Core)
  • Windows Server 2022, 23H2 Edition (Server Core)
  • Windows Server 2025 (full installation and Server Core)

All listed versions are vulnerable prior to the build numbers specified in the patch table above. The vulnerability affects all supported processor architectures for each listed product, including 32 bit, x64, and ARM64 where applicable.

Vendor Security History

CVE-2026-33841 is one of 13 Windows Kernel elevation of privilege vulnerabilities addressed so far in 2026. This recurring pattern highlights the Windows Kernel as a continuous and high-value target for both security researchers and threat actors. The May 2026 Patch Tuesday cycle itself addressed between 118 and 138 vulnerabilities depending on the tracking source, reflecting the scale of Microsoft's ongoing security maintenance burden.

The following table shows how different intelligence sources reported on this patch cycle:

SourceTotal CVEs CitedCVE-2026-33841 Exploit StatusZero Day Status
Zero Day Initiative138Not in the wildNone listed
BleepingComputer120Not exploitedNo zero days
Tenable118Exploitation More LikelyNot specified
VulDBNot specifiedNo exploit availableNot specified

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization