ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34330 — Windows Win32k Integer Overflow to Use After Free Privilege Escalation

A short review of CVE-2026-34330, a local privilege escalation vulnerability in the Windows Win32K GRFX component caused by an integer overflow leading to a use after free condition. Includes patch details and affected version information.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-34330 — Windows Win32k Integer Overflow to Use After Free Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An integer overflow in the Windows Win32k graphics subsystem quietly opens a path from any authenticated local user straight to SYSTEM privileges on nearly every supported Windows build. Discovered by wenqunwang with the China Telecom Research Institute and patched during Microsoft's May 2026 Patch Tuesday cycle, CVE-2026-34330 carries a CVSS 7.8 score and affects a sprawling matrix of Windows client and server editions, with no workarounds available outside of applying the official fix.

Technical Information

The vulnerability resides in the Windows Win32K GRFX component, the graphics handling portion of the Win32k kernel mode driver (win32kfull.sys). It is classified under two CWE entries: CWE-190 (Integer Overflow or Wraparound) and CWE-416 (Use After Free). The dual classification indicates a chained exploitation primitive where the integer overflow is the initial trigger and the use after free is the resulting exploitable condition.

CVSS Vector Breakdown

The CVSS 3.1 vector string is:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Breaking this down: the attack vector is Local, meaning the attacker must already have code execution on the target system. Attack complexity is Low, indicating no special conditions or race windows are required. The attacker needs Low privileges (any authenticated user), and no user interaction is necessary. The scope is Unchanged, meaning the vulnerability affects only the Win32k security context, but since Win32k runs in kernel mode, achieving code execution there effectively grants SYSTEM privileges. Impact across confidentiality, integrity, and availability is all rated High.

Exploitation Chain

The exploitation chain works as follows based on the CWE classification:

  1. An authorized local attacker triggers an integer overflow in a size or count field within the GRFX subsystem.
  2. This overflow causes an undersized memory allocation.
  3. Subsequent operations write beyond the allocated buffer or reference memory that has been freed due to the incorrect size calculation, producing a use after free condition.
  4. By carefully controlling the freed memory contents through heap manipulation techniques common in Windows kernel exploitation, the attacker can redirect execution flow or corrupt kernel data structures to elevate privileges to SYSTEM.

Because Win32k is a closed source kernel mode driver, Microsoft has not published a source code diff. Based on the dual CWE classification, the fix almost certainly adds proper integer overflow checks (for example, safe arithmetic on size or count fields) to prevent the subsequent use after free from being reachable. This is a well established remediation pattern for integer overflow to UAF chains in kernel graphics subsystems.

Patch Information

Microsoft released an official fix for CVE-2026-34330 on May 12, 2026, as part of the May 2026 Patch Tuesday cumulative security update cycle. The patch addresses both root cause weaknesses in the Windows Win32K GRFX component. Microsoft explicitly states there are no mitigations and no workarounds available; patching is the sole remediation.

The CVSS v3.1 vector includes the temporal qualifier RL:O (Remediation Level: Official Fix), confirming this is a vendor supplied permanent resolution.

Consolidated Patch Matrix

PlatformKB ArticleFixed Build
Windows 10 1809 / Server 2019KB508753810.0.17763.8755
Windows 10 21H2 and 22H2KB508754410.0.19044.7291 / 10.0.19045.7291
Windows 11 23H2KB508742010.0.22631.7079
Windows 11 24H2 (client)KB508954910.0.26100.8457
Windows 11 25H2KB508954910.0.26200.8457
Windows 11 26H1KB508954810.0.28000.2113
Windows Server 2016KB508753710.0.14393.9140
Windows Server 2022KB508754510.0.20348.5139
Windows Server 2022 23H2KB508754110.0.25398.2330
Windows Server 2025KB508753910.0.26100.32860
Windows Server 2012KB5087470 (Monthly Rollup)6.2.9200.26079
Windows Server 2012 R2KB5087471 (Monthly Rollup)6.3.9600.23181

All standard security updates require a system restart. Organizations must coordinate change controls with business owners to avoid unplanned outages.

Hotpatch Options

For environments that support hotpatching (Azure Edition VMs and certain Server 2025 configurations), corresponding Security Hotpatch updates were also released:

PlatformKB ArticleFixed Build
Windows 11 24H2/25H2KB508946610.0.26100.8390 / 10.0.26200.8390
Windows Server 2025KB508742310.0.26100.32772
Windows Server 2022KB508742410.0.20348.5074

These hotpatch updates allow the fix to be applied without a reboot, which is particularly valuable for production server environments.

Affected Systems and Versions

The vulnerability impacts a broad range of Windows client and server operating systems across multiple architectures:

Windows Client:

  • Windows 10 Version 1607 (32 bit and x64 based)
  • Windows 10 Version 1809 (32 bit and x64 based)
  • Windows 10 Version 21H2 (32 bit, x64 based, ARM64 based)
  • Windows 10 Version 22H2 (32 bit, x64 based, ARM64 based)
  • Windows 11 Version 23H2 (x64 based and ARM64 based)
  • Windows 11 Version 24H2 (x64 based and ARM64 based)
  • Windows 11 Version 25H2
  • Windows 11 Version 26H1

Windows Server:

  • Windows Server 2012 (Standard and Server Core)
  • Windows Server 2012 R2 (Standard and Server Core)
  • Windows Server 2016 (Standard and Server Core)
  • Windows Server 2019 (Standard and Server Core)
  • Windows Server 2022 (Standard and Server Core)
  • Windows Server 2022 23H2
  • Windows Server 2025 (Standard and Server Core)

Any system running a build number lower than the fixed builds listed in the patch matrix above is vulnerable.

Vendor Security History

This vulnerability is part of a broader pattern of memory safety issues in the Win32k component. During the same May 2026 update cycle, Microsoft also patched CVE-2026-34331 and CVE-2026-34333, both Win32k Elevation of Privilege vulnerabilities. The Win32k subsystem has been a recurring source of local privilege escalation flaws due to its large kernel mode attack surface and complex legacy codebase.

The May 2026 Patch Tuesday cycle addressed 120 flaws total with zero zero days reported. CVE-2026-34330 was credited to wenqunwang with the China Telecom Research Institute through coordinated vulnerability disclosure.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization