Introduction
A local attacker with low privileges on a Windows system can leverage a memory safety flaw in the Win32K graphics subsystem to escalate directly to SYSTEM, the highest privilege level on the machine. Microsoft patched this issue on May 12, 2026, across 31 affected product configurations as part of a Patch Tuesday cycle that addressed 120 vulnerabilities in total.
Technical Information
CVE-2026-34333 targets the Win32K GRFX subsystem, the kernel mode graphics driver responsible for GDI rendering and window management operations within Windows. Because Win32K operates in kernel mode, any memory corruption bug here has a direct path to full system compromise.
Root Cause
The vulnerability is the product of two interrelated weaknesses working in tandem:
- Integer Overflow or Wraparound (CWE-190): An arithmetic operation on a size or reference count value overflows, producing an incorrect result that is then used in subsequent memory management logic.
- Use After Free (CWE-416): The corrupted value from the integer overflow leads to premature freeing of a kernel object (or incorrect tracking of its lifetime). A later code path then accesses the freed memory region, operating on attacker influenced data that now occupies that allocation.
In practical terms, the integer overflow likely corrupts a size or reference count, which causes the kernel to believe an object is no longer in use. Once the object is freed, a subsequent operation dereferences the stale pointer. If an attacker can control the contents of the reallocated memory at that address, they can redirect kernel execution flow or corrupt kernel structures to elevate privileges.
CVSS Mechanics
The full CVSS 3.1 vector string is:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Breaking this down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Local | Attacker must have local access to the target system |
| Attack Complexity | Low | No special conditions or race windows required |
| Privileges Required | Low | A standard, non administrative user account is sufficient |
| User Interaction | None | No action from another user is needed |
| Scope | Unchanged | The vulnerability stays within the security authority of the vulnerable component |
| Confidentiality / Integrity / Availability | High / High / High | Full compromise of all three pillars |
The base score is 7.8. The temporal score drops to 6.8 due to the availability of an official fix and the current "Unproven" exploit code maturity rating.
Attack Flow
Based on the available information, the exploitation path follows this general sequence:
- The attacker obtains local, low privilege access to a Windows system (e.g., through a compromised user account, RDP session on a shared workstation, or initial access via another vulnerability).
- The attacker triggers the integer overflow condition in the Win32K GRFX subsystem through crafted GDI or window management calls from user mode.
- The overflow corrupts a size or reference count, causing the kernel to free a graphics object prematurely.
- The attacker reclaims the freed memory with controlled data (a standard kernel pool grooming technique).
- When Win32K subsequently accesses the freed object through the stale pointer, it operates on the attacker controlled data.
- The attacker leverages this to gain arbitrary kernel read/write or redirect execution, ultimately obtaining SYSTEM privileges.
Data Gaps
No public exploit code or proof of concept has been disclosed. Because Win32K is a closed source kernel mode driver, there is no source code diff available for independent analysis. The fixes are distributed solely as binary updates.
Patch Information
Microsoft officially patched CVE-2026-34333 on May 12, 2026, as part of the May 2026 Patch Tuesday cumulative update cycle. The MSRC advisory confirms a remediation level of "Official Fix," meaning a complete vendor solution is available for all affected platforms.
The patch addresses both root causes: the integer arithmetic is now correctly bounded, and the object lifetime management in Win32K GRFX has been hardened to prevent access to freed allocations.
Below is a consolidated summary of the relevant Knowledge Base articles for each product family:
| Product Family | KB Article(s) | Patched Build(s) |
|---|---|---|
| Windows 11 Version 26H1 (x64, ARM64) | KB5089548 | 10.0.28000.2113 |
| Windows 11 Version 25H2 / 24H2 (x64, ARM64) | KB5089549 + Hotpatch KB5089466 | 10.0.26200.8457 / 10.0.26100.8457 |
| Windows 11 Version 23H2 (x64, ARM64) | KB5087420 | 10.0.22631.7079 |
| Windows 10 Version 22H2 / 21H2 (x64, x86, ARM64) | KB5087544 | 10.0.19045.7291 / 10.0.19044.7291 |
| Windows 10 Version 1809 / Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 10 Version 1607 / Server 2016 | KB5087537 | 10.0.14393.9140 |
| Windows Server 2025 (incl. Server Core) | KB5087539 + Hotpatch KB5087423 | 10.0.26100.32860 / 10.0.26100.32772 |
| Windows Server 2022 (incl. Server Core) | KB5087545 + Hotpatch KB5087424 | 10.0.20348.5139 / 10.0.20348.5074 |
| Windows Server 2022, 23H2 Edition (Server Core) | KB5087541 | 10.0.25398.2330 |
| Windows Server 2012 R2 (incl. Server Core) | KB5087471 | 6.3.9600.23181 |
| Windows Server 2012 (incl. Server Core) | KB5087470 | 6.2.9200.26079 |
For several newer platforms (Windows 11 24H2/25H2, Windows Server 2025, and Windows Server 2022), Microsoft also provides Security Hotpatch Updates (the secondary KB numbers in the table above). These hotpatch updates allow the fix to be applied without requiring a full system reboot, which is particularly valuable for production server environments that need to minimize downtime.
All updates are marked with a customer action status of "Required". Organizations should deploy these patches through standard channels: Windows Update, WSUS, or direct download from the Microsoft Update Catalog. To verify remediation, administrators should confirm their systems are running the patched build numbers listed above or newer.
Prioritization Guidance
Because the attack vector is Local and requires only low privileges, organizations should prioritize patching in the following order:
- Shared workstations and terminal servers where multiple users have local access
- Administrative jump hosts and bastion servers used for privileged operations
- Standard endpoints managed through enterprise deployment tools
No workarounds or mitigations are documented outside of the official patch.
Affected Systems and Versions
The MSRC advisory lists 31 affected product rows. Based on the patch matrix, the following product families and versions are confirmed vulnerable:
Windows 11:
- Version 26H1 (x64, ARM64), builds prior to 10.0.28000.2113
- Version 25H2 (x64, ARM64), builds prior to 10.0.26200.8457
- Version 24H2 (x64, ARM64), builds prior to 10.0.26100.8457
- Version 23H2 (x64, ARM64), builds prior to 10.0.22631.7079
Windows 10:
- Version 22H2 (x64, x86, ARM64), builds prior to 10.0.19045.7291
- Version 21H2 (x64, x86, ARM64), builds prior to 10.0.19044.7291
- Version 1809 (x64, x86), builds prior to 10.0.17763.8755
- Version 1607 (x64, x86), builds prior to 10.0.14393.9140
Windows Server:
- Windows Server 2025 (including Server Core), builds prior to 10.0.26100.32860
- Windows Server 2022 (including Server Core), builds prior to 10.0.20348.5139
- Windows Server 2022, 23H2 Edition (Server Core), builds prior to 10.0.25398.2330
- Windows Server 2019 (including Server Core), builds prior to 10.0.17763.8755
- Windows Server 2016 (including Server Core), builds prior to 10.0.14393.9140
- Windows Server 2012 R2 (including Server Core), builds prior to 6.3.9600.23181
- Windows Server 2012 (including Server Core), builds prior to 6.2.9200.26079
References
- Microsoft Security Update Guide: CVE-2026-34333
- NVD Entry: CVE-2026-34333
- Zero Day Initiative: The May 2026 Security Update Review
- Cybersecurity News: Microsoft Patch Tuesday May 2026
- VulDB: CVE-2026-34333
- Bleeping Computer: Microsoft Patch Tuesday May 2026
- CISA Known Exploited Vulnerabilities Catalog
- Microsoft Update Catalog



