Introduction
A race condition in the Windows Win32K graphics subsystem lets any local user with low privileges escalate to SYSTEM by winning a timing sensitive race and triggering a use after free in kernel memory. While Microsoft rates exploitation as unlikely due to the high attack complexity, the breadth of affected platforms (spanning Windows 10, Windows 11, and every supported Windows Server edition) makes CVE-2026-34331 a patch worth prioritizing across enterprise fleets.
Technical Information
CVE-2026-34331 is rooted in the Win32K GRFX component, the kernel mode driver that handles core graphics operations and window management in Windows. The vulnerability maps to two CWE classifications: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use After Free). Together, these describe a scenario where improper synchronization around a shared resource creates a race window. If an attacker wins that race, the shared resource is freed while still referenced, producing a dangling pointer that can be dereferenced to execute arbitrary code in kernel context.
CVSS 3.1 Breakdown
The base score of 7.0 and temporal score of 6.1 reflect the following vector:
| Metric | Value | Significance |
|---|---|---|
| Attack Vector | Local | Attacker must have local access to the system |
| Attack Complexity | High | Attacker must win a race condition |
| Privileges Required | Low | Only basic user authorization is needed |
| User Interaction | None | No action required from the victim |
| Scope | Unchanged | The vulnerable and impacted component are the same |
| Confidentiality Impact | High | Total loss of confidentiality |
| Integrity Impact | High | Total loss of integrity |
| Availability Impact | High | Total loss of availability |
The high attack complexity is the key limiting factor. The attacker needs precise timing to hit the race window between the shared resource access and the synchronization gap. If the timing is right, the freed object is dereferenced, and the attacker gains code execution with SYSTEM privileges, granting full control over the local machine.
Attack Flow
Based on the available technical details, the exploitation path follows this general sequence:
- A local attacker with low privileges initiates concurrent operations that interact with the vulnerable shared resource in the Win32K GRFX component.
- Due to improper synchronization, a race condition exists where one thread can free the shared resource while another thread still holds a reference to it.
- The attacker manipulates timing (for example, through thread scheduling or repeated attempts) to win the race, causing the resource to be freed prematurely.
- The stale reference is then dereferenced (use after free), and if the attacker has placed controlled data in the freed memory region, they achieve arbitrary code execution in kernel mode.
- Code execution in kernel mode translates directly to SYSTEM privileges on the local machine.
Because this is a closed source Windows kernel mode driver, no public source level diff or code snippet is available. The fix is delivered exclusively through cumulative security updates and monthly rollups.
Patch Information
Microsoft released an official fix for CVE-2026-34331 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the remediation level is "Official Fix," meaning a complete vendor solution is available. The patch addresses the vulnerability by correcting the synchronization logic around the shared resource access path in the Win32k graphics component, closing the race window that previously allowed the dangling pointer dereference.
No mitigations or workarounds are available from the vendor. Patching is the only remediation path.
The following table maps affected platforms to their corresponding Knowledge Base articles and patched build numbers:
| Platform(s) | KB Article | Patched Build |
|---|---|---|
| Windows 11 26H1 (x64, ARM64) | KB5089548 | 10.0.28000.2113 |
| Windows 11 24H2 / 25H2 (x64, ARM64) | KB5089549 (+ KB5089466 hotpatch) | 10.0.26100.8457 / 10.0.26200.8457 |
| Windows 11 23H2 (x64, ARM64) | KB5087420 | 10.0.22631.7079 |
| Windows 10 21H2 / 22H2 (x64, ARM64, x86) | KB5087544 | 10.0.19044.7291 / 10.0.19045.7291 |
| Windows 10 1809 (x64, x86) | KB5087538 | 10.0.17763.8755 |
| Windows 10 1607 (x64, x86) | KB5087537 | 10.0.14393.9140 |
| Windows Server 2025 (incl. Server Core) | KB5087539 (+ KB5087423 hotpatch) | 10.0.26100.32860 |
| Windows Server 2022 (incl. Server Core) | KB5087545 (+ KB5087424 hotpatch) | 10.0.20348.5139 |
| Windows Server 2022, 23H2 (Server Core) | KB5087541 | 10.0.25398.2330 |
| Windows Server 2019 (incl. Server Core) | KB5087538 | 10.0.17763.8755 |
| Windows Server 2016 (incl. Server Core) | KB5087537 | 10.0.14393.9140 |
| Windows Server 2012 R2 (incl. Server Core) | KB5087471 | 6.3.9600.23181 |
| Windows Server 2012 (incl. Server Core) | KB5087470 | 6.2.9200.26079 |
For several newer platforms (Windows Server 2025, Windows Server 2022, and Windows 11 24H2/25H2), Microsoft provides Security Hotpatch Updates alongside the standard cumulative updates. Hotpatches allow in memory patching without a full reboot, which is particularly valuable for production server environments. An eventual restart is still recommended to ensure full protection.
All updates are marked as "Customer Action Required," meaning systems with automatic updates disabled must have the patches applied manually via Windows Update or the Microsoft Update Catalog.
Affected Systems and Versions
The vulnerability affects a broad range of Windows client and server operating systems. The following version ranges are confirmed as vulnerable:
Windows Client:
- Windows 10 Version 1607: 10.0.14393.0 through versions before 10.0.14393.9140 (32 bit and x64)
- Windows 10 Version 1809: 10.0.17763.0 through versions before 10.0.17763.8755 (32 bit and x64)
- Windows 10 Version 21H2: 10.0.19044.0 through versions before 10.0.19044.7291 (32 bit, ARM64, x64)
- Windows 11 Version 23H2: 10.0.22631.0 through versions before 10.0.22631.7079 (x64)
- Windows 11 Version 24H2 / 25H2: versions before 10.0.26100.8457 / 10.0.26200.8457 (x64, ARM64)
- Windows 11 Version 26H1: versions before 10.0.28000.2113 (x64, ARM64)
Windows Server:
- Windows Server 2012: 6.2.9200.0 through versions before 6.2.9200.26079 (x64)
- Windows Server 2012 R2: 6.3.9600.0 through versions before 6.3.9600.23181 (x64)
- Windows Server 2016: 10.0.14393.0 through versions before 10.0.14393.9140 (x64)
- Windows Server 2019: 10.0.17763.0 through versions before 10.0.17763.8755 (x64)
- Windows Server 2022: 10.0.20348.0 through versions before 10.0.20348.5139 (x64)
- Windows Server 2022, 23H2 (Server Core): versions before 10.0.25398.2330
- Windows Server 2025: 10.0.26100.0 through versions before 10.0.26100.32860 (x64)
Organizations should verify that their systems are updated to build numbers equal to or greater than the fixed versions listed above.
References
- MSRC Advisory: CVE-2026-34331
- NVD Entry: CVE-2026-34331
- MITRE CVE Record: CVE-2026-34331
- Bleeping Computer: Microsoft Patch Tuesday May 2026 Report
- Bleeping Computer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Tenable: CVE-2026-34331
- Zero Day Initiative: The May 2026 Security Update Review



