Introduction
An integer overflow in the Windows Win32k graphics subsystem quietly opens a path from any authenticated local user straight to SYSTEM privileges on nearly every supported Windows build. Discovered by wenqunwang with the China Telecom Research Institute and patched during Microsoft's May 2026 Patch Tuesday cycle, CVE-2026-34330 carries a CVSS 7.8 score and affects a sprawling matrix of Windows client and server editions, with no workarounds available outside of applying the official fix.
Technical Information
The vulnerability resides in the Windows Win32K GRFX component, the graphics handling portion of the Win32k kernel mode driver (win32kfull.sys). It is classified under two CWE entries: CWE-190 (Integer Overflow or Wraparound) and CWE-416 (Use After Free). The dual classification indicates a chained exploitation primitive where the integer overflow is the initial trigger and the use after free is the resulting exploitable condition.
CVSS Vector Breakdown
The CVSS 3.1 vector string is:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Breaking this down: the attack vector is Local, meaning the attacker must already have code execution on the target system. Attack complexity is Low, indicating no special conditions or race windows are required. The attacker needs Low privileges (any authenticated user), and no user interaction is necessary. The scope is Unchanged, meaning the vulnerability affects only the Win32k security context, but since Win32k runs in kernel mode, achieving code execution there effectively grants SYSTEM privileges. Impact across confidentiality, integrity, and availability is all rated High.
Exploitation Chain
The exploitation chain works as follows based on the CWE classification:
- An authorized local attacker triggers an integer overflow in a size or count field within the GRFX subsystem.
- This overflow causes an undersized memory allocation.
- Subsequent operations write beyond the allocated buffer or reference memory that has been freed due to the incorrect size calculation, producing a use after free condition.
- By carefully controlling the freed memory contents through heap manipulation techniques common in Windows kernel exploitation, the attacker can redirect execution flow or corrupt kernel data structures to elevate privileges to SYSTEM.
Because Win32k is a closed source kernel mode driver, Microsoft has not published a source code diff. Based on the dual CWE classification, the fix almost certainly adds proper integer overflow checks (for example, safe arithmetic on size or count fields) to prevent the subsequent use after free from being reachable. This is a well established remediation pattern for integer overflow to UAF chains in kernel graphics subsystems.
Patch Information
Microsoft released an official fix for CVE-2026-34330 on May 12, 2026, as part of the May 2026 Patch Tuesday cumulative security update cycle. The patch addresses both root cause weaknesses in the Windows Win32K GRFX component. Microsoft explicitly states there are no mitigations and no workarounds available; patching is the sole remediation.
The CVSS v3.1 vector includes the temporal qualifier RL:O (Remediation Level: Official Fix), confirming this is a vendor supplied permanent resolution.
Consolidated Patch Matrix
| Platform | KB Article | Fixed Build |
|---|---|---|
| Windows 10 1809 / Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 10 21H2 and 22H2 | KB5087544 | 10.0.19044.7291 / 10.0.19045.7291 |
| Windows 11 23H2 | KB5087420 | 10.0.22631.7079 |
| Windows 11 24H2 (client) | KB5089549 | 10.0.26100.8457 |
| Windows 11 25H2 | KB5089549 | 10.0.26200.8457 |
| Windows 11 26H1 | KB5089548 | 10.0.28000.2113 |
| Windows Server 2016 | KB5087537 | 10.0.14393.9140 |
| Windows Server 2022 | KB5087545 | 10.0.20348.5139 |
| Windows Server 2022 23H2 | KB5087541 | 10.0.25398.2330 |
| Windows Server 2025 | KB5087539 | 10.0.26100.32860 |
| Windows Server 2012 | KB5087470 (Monthly Rollup) | 6.2.9200.26079 |
| Windows Server 2012 R2 | KB5087471 (Monthly Rollup) | 6.3.9600.23181 |
All standard security updates require a system restart. Organizations must coordinate change controls with business owners to avoid unplanned outages.
Hotpatch Options
For environments that support hotpatching (Azure Edition VMs and certain Server 2025 configurations), corresponding Security Hotpatch updates were also released:
| Platform | KB Article | Fixed Build |
|---|---|---|
| Windows 11 24H2/25H2 | KB5089466 | 10.0.26100.8390 / 10.0.26200.8390 |
| Windows Server 2025 | KB5087423 | 10.0.26100.32772 |
| Windows Server 2022 | KB5087424 | 10.0.20348.5074 |
These hotpatch updates allow the fix to be applied without a reboot, which is particularly valuable for production server environments.
Affected Systems and Versions
The vulnerability impacts a broad range of Windows client and server operating systems across multiple architectures:
Windows Client:
- Windows 10 Version 1607 (32 bit and x64 based)
- Windows 10 Version 1809 (32 bit and x64 based)
- Windows 10 Version 21H2 (32 bit, x64 based, ARM64 based)
- Windows 10 Version 22H2 (32 bit, x64 based, ARM64 based)
- Windows 11 Version 23H2 (x64 based and ARM64 based)
- Windows 11 Version 24H2 (x64 based and ARM64 based)
- Windows 11 Version 25H2
- Windows 11 Version 26H1
Windows Server:
- Windows Server 2012 (Standard and Server Core)
- Windows Server 2012 R2 (Standard and Server Core)
- Windows Server 2016 (Standard and Server Core)
- Windows Server 2019 (Standard and Server Core)
- Windows Server 2022 (Standard and Server Core)
- Windows Server 2022 23H2
- Windows Server 2025 (Standard and Server Core)
Any system running a build number lower than the fixed builds listed in the patch matrix above is vulnerable.
Vendor Security History
This vulnerability is part of a broader pattern of memory safety issues in the Win32k component. During the same May 2026 update cycle, Microsoft also patched CVE-2026-34331 and CVE-2026-34333, both Win32k Elevation of Privilege vulnerabilities. The Win32k subsystem has been a recurring source of local privilege escalation flaws due to its large kernel mode attack surface and complex legacy codebase.
The May 2026 Patch Tuesday cycle addressed 120 flaws total with zero zero days reported. CVE-2026-34330 was credited to wenqunwang with the China Telecom Research Institute through coordinated vulnerability disclosure.
References
- NVD Entry for CVE-2026-34330
- CVE.org Record for CVE-2026-34330
- Microsoft Security Update Guide: CVE-2026-34330
- Microsoft CVRF Advisory Data, May 2026
- Tenable CVE-2026-34330 Summary
- Bleeping Computer: Microsoft May 2026 Patch Tuesday Fixes 120 Flaws, No Zero Days
- Bleeping Computer: Microsoft Patch Tuesday May 2026 Report
- CISA Known Exploited Vulnerabilities Catalog Update, May 2026



