ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34331 Win32k GRFX Race Condition Privilege Escalation in Windows

A short review of CVE-2026-34331, a race condition and use after free vulnerability in the Windows Win32K GRFX component that allows local privilege escalation to SYSTEM. Includes patch details across affected Windows client and server platforms.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-34331 Win32k GRFX Race Condition Privilege Escalation in Windows
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A race condition in the Windows Win32K graphics subsystem lets any local user with low privileges escalate to SYSTEM by winning a timing sensitive race and triggering a use after free in kernel memory. While Microsoft rates exploitation as unlikely due to the high attack complexity, the breadth of affected platforms (spanning Windows 10, Windows 11, and every supported Windows Server edition) makes CVE-2026-34331 a patch worth prioritizing across enterprise fleets.

Technical Information

CVE-2026-34331 is rooted in the Win32K GRFX component, the kernel mode driver that handles core graphics operations and window management in Windows. The vulnerability maps to two CWE classifications: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use After Free). Together, these describe a scenario where improper synchronization around a shared resource creates a race window. If an attacker wins that race, the shared resource is freed while still referenced, producing a dangling pointer that can be dereferenced to execute arbitrary code in kernel context.

CVSS 3.1 Breakdown

The base score of 7.0 and temporal score of 6.1 reflect the following vector:

MetricValueSignificance
Attack VectorLocalAttacker must have local access to the system
Attack ComplexityHighAttacker must win a race condition
Privileges RequiredLowOnly basic user authorization is needed
User InteractionNoneNo action required from the victim
ScopeUnchangedThe vulnerable and impacted component are the same
Confidentiality ImpactHighTotal loss of confidentiality
Integrity ImpactHighTotal loss of integrity
Availability ImpactHighTotal loss of availability

The high attack complexity is the key limiting factor. The attacker needs precise timing to hit the race window between the shared resource access and the synchronization gap. If the timing is right, the freed object is dereferenced, and the attacker gains code execution with SYSTEM privileges, granting full control over the local machine.

Attack Flow

Based on the available technical details, the exploitation path follows this general sequence:

  1. A local attacker with low privileges initiates concurrent operations that interact with the vulnerable shared resource in the Win32K GRFX component.
  2. Due to improper synchronization, a race condition exists where one thread can free the shared resource while another thread still holds a reference to it.
  3. The attacker manipulates timing (for example, through thread scheduling or repeated attempts) to win the race, causing the resource to be freed prematurely.
  4. The stale reference is then dereferenced (use after free), and if the attacker has placed controlled data in the freed memory region, they achieve arbitrary code execution in kernel mode.
  5. Code execution in kernel mode translates directly to SYSTEM privileges on the local machine.

Because this is a closed source Windows kernel mode driver, no public source level diff or code snippet is available. The fix is delivered exclusively through cumulative security updates and monthly rollups.

Patch Information

Microsoft released an official fix for CVE-2026-34331 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the remediation level is "Official Fix," meaning a complete vendor solution is available. The patch addresses the vulnerability by correcting the synchronization logic around the shared resource access path in the Win32k graphics component, closing the race window that previously allowed the dangling pointer dereference.

No mitigations or workarounds are available from the vendor. Patching is the only remediation path.

The following table maps affected platforms to their corresponding Knowledge Base articles and patched build numbers:

Platform(s)KB ArticlePatched Build
Windows 11 26H1 (x64, ARM64)KB508954810.0.28000.2113
Windows 11 24H2 / 25H2 (x64, ARM64)KB5089549 (+ KB5089466 hotpatch)10.0.26100.8457 / 10.0.26200.8457
Windows 11 23H2 (x64, ARM64)KB508742010.0.22631.7079
Windows 10 21H2 / 22H2 (x64, ARM64, x86)KB508754410.0.19044.7291 / 10.0.19045.7291
Windows 10 1809 (x64, x86)KB508753810.0.17763.8755
Windows 10 1607 (x64, x86)KB508753710.0.14393.9140
Windows Server 2025 (incl. Server Core)KB5087539 (+ KB5087423 hotpatch)10.0.26100.32860
Windows Server 2022 (incl. Server Core)KB5087545 (+ KB5087424 hotpatch)10.0.20348.5139
Windows Server 2022, 23H2 (Server Core)KB508754110.0.25398.2330
Windows Server 2019 (incl. Server Core)KB508753810.0.17763.8755
Windows Server 2016 (incl. Server Core)KB508753710.0.14393.9140
Windows Server 2012 R2 (incl. Server Core)KB50874716.3.9600.23181
Windows Server 2012 (incl. Server Core)KB50874706.2.9200.26079

For several newer platforms (Windows Server 2025, Windows Server 2022, and Windows 11 24H2/25H2), Microsoft provides Security Hotpatch Updates alongside the standard cumulative updates. Hotpatches allow in memory patching without a full reboot, which is particularly valuable for production server environments. An eventual restart is still recommended to ensure full protection.

All updates are marked as "Customer Action Required," meaning systems with automatic updates disabled must have the patches applied manually via Windows Update or the Microsoft Update Catalog.

Affected Systems and Versions

The vulnerability affects a broad range of Windows client and server operating systems. The following version ranges are confirmed as vulnerable:

Windows Client:

  • Windows 10 Version 1607: 10.0.14393.0 through versions before 10.0.14393.9140 (32 bit and x64)
  • Windows 10 Version 1809: 10.0.17763.0 through versions before 10.0.17763.8755 (32 bit and x64)
  • Windows 10 Version 21H2: 10.0.19044.0 through versions before 10.0.19044.7291 (32 bit, ARM64, x64)
  • Windows 11 Version 23H2: 10.0.22631.0 through versions before 10.0.22631.7079 (x64)
  • Windows 11 Version 24H2 / 25H2: versions before 10.0.26100.8457 / 10.0.26200.8457 (x64, ARM64)
  • Windows 11 Version 26H1: versions before 10.0.28000.2113 (x64, ARM64)

Windows Server:

  • Windows Server 2012: 6.2.9200.0 through versions before 6.2.9200.26079 (x64)
  • Windows Server 2012 R2: 6.3.9600.0 through versions before 6.3.9600.23181 (x64)
  • Windows Server 2016: 10.0.14393.0 through versions before 10.0.14393.9140 (x64)
  • Windows Server 2019: 10.0.17763.0 through versions before 10.0.17763.8755 (x64)
  • Windows Server 2022: 10.0.20348.0 through versions before 10.0.20348.5139 (x64)
  • Windows Server 2022, 23H2 (Server Core): versions before 10.0.25398.2330
  • Windows Server 2025: 10.0.26100.0 through versions before 10.0.26100.32860 (x64)

Organizations should verify that their systems are updated to build numbers equal to or greater than the fixed versions listed above.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization