ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34333 Windows Win32k Use After Free Privilege Escalation

A short review of CVE-2026-34333, a use after free vulnerability in the Windows Win32K GRFX subsystem that allows local privilege escalation to SYSTEM. Includes patch details across 31 affected product configurations.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-34333 Windows Win32k Use After Free Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A local attacker with low privileges on a Windows system can leverage a memory safety flaw in the Win32K graphics subsystem to escalate directly to SYSTEM, the highest privilege level on the machine. Microsoft patched this issue on May 12, 2026, across 31 affected product configurations as part of a Patch Tuesday cycle that addressed 120 vulnerabilities in total.

Technical Information

CVE-2026-34333 targets the Win32K GRFX subsystem, the kernel mode graphics driver responsible for GDI rendering and window management operations within Windows. Because Win32K operates in kernel mode, any memory corruption bug here has a direct path to full system compromise.

Root Cause

The vulnerability is the product of two interrelated weaknesses working in tandem:

  1. Integer Overflow or Wraparound (CWE-190): An arithmetic operation on a size or reference count value overflows, producing an incorrect result that is then used in subsequent memory management logic.
  2. Use After Free (CWE-416): The corrupted value from the integer overflow leads to premature freeing of a kernel object (or incorrect tracking of its lifetime). A later code path then accesses the freed memory region, operating on attacker influenced data that now occupies that allocation.

In practical terms, the integer overflow likely corrupts a size or reference count, which causes the kernel to believe an object is no longer in use. Once the object is freed, a subsequent operation dereferences the stale pointer. If an attacker can control the contents of the reallocated memory at that address, they can redirect kernel execution flow or corrupt kernel structures to elevate privileges.

CVSS Mechanics

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Breaking this down:

MetricValueMeaning
Attack VectorLocalAttacker must have local access to the target system
Attack ComplexityLowNo special conditions or race windows required
Privileges RequiredLowA standard, non administrative user account is sufficient
User InteractionNoneNo action from another user is needed
ScopeUnchangedThe vulnerability stays within the security authority of the vulnerable component
Confidentiality / Integrity / AvailabilityHigh / High / HighFull compromise of all three pillars

The base score is 7.8. The temporal score drops to 6.8 due to the availability of an official fix and the current "Unproven" exploit code maturity rating.

Attack Flow

Based on the available information, the exploitation path follows this general sequence:

  1. The attacker obtains local, low privilege access to a Windows system (e.g., through a compromised user account, RDP session on a shared workstation, or initial access via another vulnerability).
  2. The attacker triggers the integer overflow condition in the Win32K GRFX subsystem through crafted GDI or window management calls from user mode.
  3. The overflow corrupts a size or reference count, causing the kernel to free a graphics object prematurely.
  4. The attacker reclaims the freed memory with controlled data (a standard kernel pool grooming technique).
  5. When Win32K subsequently accesses the freed object through the stale pointer, it operates on the attacker controlled data.
  6. The attacker leverages this to gain arbitrary kernel read/write or redirect execution, ultimately obtaining SYSTEM privileges.

Data Gaps

No public exploit code or proof of concept has been disclosed. Because Win32K is a closed source kernel mode driver, there is no source code diff available for independent analysis. The fixes are distributed solely as binary updates.

Patch Information

Microsoft officially patched CVE-2026-34333 on May 12, 2026, as part of the May 2026 Patch Tuesday cumulative update cycle. The MSRC advisory confirms a remediation level of "Official Fix," meaning a complete vendor solution is available for all affected platforms.

The patch addresses both root causes: the integer arithmetic is now correctly bounded, and the object lifetime management in Win32K GRFX has been hardened to prevent access to freed allocations.

Below is a consolidated summary of the relevant Knowledge Base articles for each product family:

Product FamilyKB Article(s)Patched Build(s)
Windows 11 Version 26H1 (x64, ARM64)KB508954810.0.28000.2113
Windows 11 Version 25H2 / 24H2 (x64, ARM64)KB5089549 + Hotpatch KB508946610.0.26200.8457 / 10.0.26100.8457
Windows 11 Version 23H2 (x64, ARM64)KB508742010.0.22631.7079
Windows 10 Version 22H2 / 21H2 (x64, x86, ARM64)KB508754410.0.19045.7291 / 10.0.19044.7291
Windows 10 Version 1809 / Server 2019KB508753810.0.17763.8755
Windows 10 Version 1607 / Server 2016KB508753710.0.14393.9140
Windows Server 2025 (incl. Server Core)KB5087539 + Hotpatch KB508742310.0.26100.32860 / 10.0.26100.32772
Windows Server 2022 (incl. Server Core)KB5087545 + Hotpatch KB508742410.0.20348.5139 / 10.0.20348.5074
Windows Server 2022, 23H2 Edition (Server Core)KB508754110.0.25398.2330
Windows Server 2012 R2 (incl. Server Core)KB50874716.3.9600.23181
Windows Server 2012 (incl. Server Core)KB50874706.2.9200.26079

For several newer platforms (Windows 11 24H2/25H2, Windows Server 2025, and Windows Server 2022), Microsoft also provides Security Hotpatch Updates (the secondary KB numbers in the table above). These hotpatch updates allow the fix to be applied without requiring a full system reboot, which is particularly valuable for production server environments that need to minimize downtime.

All updates are marked with a customer action status of "Required". Organizations should deploy these patches through standard channels: Windows Update, WSUS, or direct download from the Microsoft Update Catalog. To verify remediation, administrators should confirm their systems are running the patched build numbers listed above or newer.

Prioritization Guidance

Because the attack vector is Local and requires only low privileges, organizations should prioritize patching in the following order:

  1. Shared workstations and terminal servers where multiple users have local access
  2. Administrative jump hosts and bastion servers used for privileged operations
  3. Standard endpoints managed through enterprise deployment tools

No workarounds or mitigations are documented outside of the official patch.

Affected Systems and Versions

The MSRC advisory lists 31 affected product rows. Based on the patch matrix, the following product families and versions are confirmed vulnerable:

Windows 11:

  • Version 26H1 (x64, ARM64), builds prior to 10.0.28000.2113
  • Version 25H2 (x64, ARM64), builds prior to 10.0.26200.8457
  • Version 24H2 (x64, ARM64), builds prior to 10.0.26100.8457
  • Version 23H2 (x64, ARM64), builds prior to 10.0.22631.7079

Windows 10:

  • Version 22H2 (x64, x86, ARM64), builds prior to 10.0.19045.7291
  • Version 21H2 (x64, x86, ARM64), builds prior to 10.0.19044.7291
  • Version 1809 (x64, x86), builds prior to 10.0.17763.8755
  • Version 1607 (x64, x86), builds prior to 10.0.14393.9140

Windows Server:

  • Windows Server 2025 (including Server Core), builds prior to 10.0.26100.32860
  • Windows Server 2022 (including Server Core), builds prior to 10.0.20348.5139
  • Windows Server 2022, 23H2 Edition (Server Core), builds prior to 10.0.25398.2330
  • Windows Server 2019 (including Server Core), builds prior to 10.0.17763.8755
  • Windows Server 2016 (including Server Core), builds prior to 10.0.14393.9140
  • Windows Server 2012 R2 (including Server Core), builds prior to 6.3.9600.23181
  • Windows Server 2012 (including Server Core), builds prior to 6.2.9200.26079

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization