Introduction
A heap overflow in the Windows Kernel, patched during the May 2026 Patch Tuesday cycle, gives any authenticated local user a path from a sandboxed, low integrity process all the way to SYSTEM. With Windows commanding nearly 64 percent of the global desktop market and no workarounds available, CVE-2026-33841 is the kind of local privilege escalation (LPE) that post-exploitation toolkits tend to absorb quickly once patch diffing reveals the root cause.
Technical Information
Root Cause
CVE-2026-33841 is classified under CWE-122: Heap-based Buffer Overflow. The flaw resides somewhere within the Windows Kernel, though Microsoft has not disclosed the specific component or driver involved. Because the kernel is closed source, no source-level diff is available; the fix is delivered as a binary-level patch bundled into cumulative updates.
The CVSS 3.1 vector string is:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Breaking this down:
- Attack Vector: Local — the attacker must already have code execution on the target.
- Attack Complexity: Low — no special conditions or race windows are required.
- Privileges Required: Low — a standard, unprivileged user account is sufficient.
- User Interaction: None — no victim action is needed.
- Impact: High across Confidentiality, Integrity, and Availability — full compromise of the local system is achievable.
Integrity Boundary Traversal
The practical impact of this vulnerability centers on Windows Mandatory Integrity Control (MIC) boundaries. An attacker who successfully triggers the heap overflow can escalate from a Low Integrity Level execution context, such as an AppContainer sandbox, to Medium or High Integrity Level. In the most impactful scenario, the attacker achieves SYSTEM level privileges.
This makes CVE-2026-33841 especially relevant in attack chains where an adversary has already achieved initial code execution through a browser exploit, a compromised application, or a phishing payload running inside a sandboxed process. The LPE serves as the bridge from constrained execution to full host control.
Attack Flow
Based on the available technical details, the exploitation path follows a well understood pattern for kernel heap overflows:
- The attacker gains initial code execution on the target system with low privileges (e.g., a standard user account or a sandboxed process).
- The attacker triggers the heap-based buffer overflow in the Windows Kernel, likely through a crafted system call or IOCTL that passes data exceeding the expected buffer size.
- The overflow corrupts adjacent heap metadata or kernel objects, allowing the attacker to gain arbitrary read/write primitives in kernel memory.
- The attacker leverages these primitives to overwrite token structures or other security-relevant kernel objects, elevating the process integrity level and effective privileges.
- The attacker's process now runs at SYSTEM, with full control over the host.
The exact trigger mechanism (the specific syscall, IOCTL, or kernel path) has not been disclosed in any public advisory. Microsoft's "Exploitation More Likely" assessment suggests that reverse engineering the binary patch could reveal the vulnerable code path with moderate effort.
Exploit Status
At the time of publication, no public exploit or proof of concept exists. The vulnerability was not publicly known prior to the May 2026 Patch Tuesday disclosure, and no active exploitation has been observed. Multiple intelligence sources, including the Zero Day Initiative, BleepingComputer, Tenable, and VulDB, confirm this status. However, the "Exploitation More Likely" designation from Microsoft's Exploitability Index is a strong signal that defenders should not treat the absence of a current exploit as a reason to delay patching.
Patch Information
Microsoft released the official fix for CVE-2026-33841 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level as "Official Fix," meaning a complete vendor solution is available via cumulative security updates distributed through Windows Update, WSUS, and the Microsoft Update Catalog.
The patch corrects the heap-based buffer overflow condition that previously allowed an authenticated local attacker to escalate privileges from a Low Integrity Level (e.g., an AppContainer sandbox) to Medium or High Integrity Level.
The following table summarizes the relevant Knowledge Base articles, patched build numbers, and affected platforms. Administrators should verify their systems are updated to at least these build numbers:
| Platform | KB Article(s) | Patched Build |
|---|---|---|
| Windows 11 Version 26H1 (x64 / ARM64) | KB5089548 | 10.0.28000.2113 |
| Windows 11 Version 25H2 (x64 / ARM64) | KB5089549, KB5089466 (hotpatch) | 10.0.26200.8457 / 10.0.26200.8390 |
| Windows 11 Version 24H2 (x64 / ARM64) | KB5089549, KB5089466 (hotpatch) | 10.0.26100.8457 / 10.0.26100.8390 |
| Windows 11 Version 23H2 (x64 / ARM64) | KB5087420 | 10.0.22631.7079 |
| Windows 10 Version 22H2 (32 bit / x64 / ARM64) | KB5087544 | 10.0.19045.7291 |
| Windows 10 Version 21H2 (32 bit / x64 / ARM64) | KB5087544 | 10.0.19044.7291 |
| Windows Server 2025 (full and Server Core) | KB5087539, KB5087423 (hotpatch) | 10.0.26100.32860 / 10.0.26100.32772 |
| Windows Server 2022, 23H2 Edition (Server Core) | KB5087541 | 10.0.25398.2330 |
| Windows Server 2022 (full and Server Core) | KB5087545, KB5087424 (hotpatch) | 10.0.20348.5139 / 10.0.20348.5074 |
A notable aspect of this rollout is the availability of Security Hotpatch updates for several platforms: Windows Server 2025, Windows Server 2022, and the Windows 11 24H2/25H2 lines. Hotpatch updates apply critical fixes to in-memory code without requiring an immediate reboot, which is particularly valuable for server environments where uptime is a priority. The hotpatch KBs (e.g., KB5087423, KB5089466, KB5087424) target slightly earlier build numbers than their full reboot counterparts, but both paths remediate the vulnerability.
All 19 product entries listed in the MSRC advisory carry a customer action status of "Required," underscoring that automated update delivery alone may not be sufficient. Administrators should actively verify deployment. Microsoft has explicitly stated that no workarounds or alternative mitigations exist for this vulnerability.
Affected Systems and Versions
The following Windows client and server operating systems are confirmed vulnerable:
- Windows 10 Version 21H2 (32 bit, x64, ARM64)
- Windows 10 Version 22H2 (32 bit, x64, ARM64)
- Windows 11 Version 23H2 (x64, ARM64)
- Windows 11 Version 24H2 (x64, ARM64)
- Windows 11 Version 25H2 (x64, ARM64)
- Windows 11 Version 26H1 (x64, ARM64)
- Windows Server 2022 (full installation and Server Core)
- Windows Server 2022, 23H2 Edition (Server Core)
- Windows Server 2025 (full installation and Server Core)
All listed versions are vulnerable prior to the build numbers specified in the patch table above. The vulnerability affects all supported processor architectures for each listed product, including 32 bit, x64, and ARM64 where applicable.
Vendor Security History
CVE-2026-33841 is one of 13 Windows Kernel elevation of privilege vulnerabilities addressed so far in 2026. This recurring pattern highlights the Windows Kernel as a continuous and high-value target for both security researchers and threat actors. The May 2026 Patch Tuesday cycle itself addressed between 118 and 138 vulnerabilities depending on the tracking source, reflecting the scale of Microsoft's ongoing security maintenance burden.
The following table shows how different intelligence sources reported on this patch cycle:
| Source | Total CVEs Cited | CVE-2026-33841 Exploit Status | Zero Day Status |
|---|---|---|---|
| Zero Day Initiative | 138 | Not in the wild | None listed |
| BleepingComputer | 120 | Not exploited | No zero days |
| Tenable | 118 | Exploitation More Likely | Not specified |
| VulDB | Not specified | No exploit available | Not specified |
References
- MSRC Advisory: CVE-2026-33841 Windows Kernel Elevation of Privilege Vulnerability
- NVD Entry: CVE-2026-33841
- CVE Record: CVE-2026-33841
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- BleepingComputer: Microsoft Patch Tuesday May 2026 Report
- Tenable: May 2026 Microsoft Patch Tuesday
- Tenable: Windows Server 2025 Security Update Plugin (May 2026)
- VulDB: CVE-2026-33841
- Zero Day Initiative: The May 2026 Security Update Review
- StatCounter: Desktop Operating System Market Share Worldwide



