ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-34347 — Windows Win32K Use After Free Elevation of Privilege

A brief summary of CVE-2026-34347, a use after free vulnerability in the Windows Win32K GRFX subsystem that allows local privilege escalation to SYSTEM. Includes technical details, affected versions, and patch information across all supported Windows platforms.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Quick Look: CVE-2026-34347 — Windows Win32K Use After Free Elevation of Privilege
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free in the Windows Win32K graphics kernel subsystem, patched in May 2026, gives any local user with a basic account the ability to escalate to SYSTEM privileges. For organizations running multi user Windows environments or terminal servers, CVE-2026-34347 represents a meaningful post compromise escalation primitive that warrants prompt patching, even though exploitation requires winning a race condition and no in the wild activity has been observed.

Technical Information

Root Cause

CVE-2026-34347 is classified as CWE-416 (Use After Free) within the Windows Win32K GRFX component. Win32K is the kernel mode portion of the Windows graphics subsystem responsible for window management, GDI rendering, and related operations. The GRFX subcomponent handles graphics object management at the kernel level.

The core issue is that a kernel mode graphics object was being referenced after its backing memory had already been freed. This creates a dangling pointer: a reference that points to memory that may have been reallocated for a different purpose. If an attacker can influence what occupies that freed memory region at the precise moment the stale pointer is dereferenced, they can achieve arbitrary kernel memory corruption.

CVSS Breakdown

The full CVSS 3.1 vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 7.0.

MetricValueImplication
Attack VectorLocalAttacker must have local system access
Attack ComplexityHighAttacker must win a race condition
Privileges RequiredLowA standard, non administrative user account suffices
User InteractionNoneNo victim action is needed
ScopeUnchangedThe impacted component is the same as the vulnerable component
Confidentiality / Integrity / AvailabilityHigh / High / HighFull compromise of the host

Attack Flow

Based on the vulnerability characteristics, exploitation would follow this general sequence:

  1. Initial Access: The attacker obtains code execution on the target system under a low privileged user account. This could be through a compromised user session, a phishing payload, or lateral movement from another compromised host.

  2. Triggering the Free: The attacker interacts with the Win32K GRFX subsystem through standard Windows API calls to create and manipulate graphics objects. The goal is to trigger the code path where a graphics object is freed while a reference to it still exists in kernel memory.

  3. Winning the Race: Because the vulnerability involves a race condition (reflected in the High attack complexity), the attacker must precisely time their operations so that the freed memory is accessed through the dangling pointer before the system naturally cleans up or reassigns the reference. This likely involves concurrent threads or carefully timed system calls.

  4. Heap Spray or Object Replacement: After the target object is freed, the attacker attempts to reclaim the freed memory with attacker controlled data. If the kernel allocator places a new, attacker crafted object in the same memory location, the subsequent dereference of the dangling pointer will operate on attacker controlled data.

  5. Privilege Escalation: By controlling the contents of the reallocated memory, the attacker can corrupt kernel structures (such as token objects or process structures) to elevate their process to SYSTEM integrity level.

A successful exploit grants SYSTEM privileges, which means full control over the host: the ability to install software, access all files, create new accounts, and pivot further into the network.

Exploitability Assessment

Microsoft rates this vulnerability as "Exploitation Less Likely" with exploit code maturity classified as "Unproven." The race condition requirement is a meaningful barrier; it introduces unreliability into any exploit attempt and may require many iterations to succeed. That said, Win32K use after free vulnerabilities have a long history of successful exploitation in Windows, and skilled attackers have repeatedly demonstrated the ability to stabilize race condition based kernel exploits.

Patch Information

Microsoft released an official fix for CVE-2026-34347 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level as "Official Fix," meaning a complete vendor solution is available.

The patch corrects the object lifetime management in Win32K GRFX to prevent the stale reference from occurring. Because Win32K is a closed source Windows kernel component, no source level diff is publicly available. The fix is distributed exclusively through Microsoft's cumulative and hotpatch update channels.

The affected product matrix is broad, spanning legacy and modern Windows versions:

PlatformKB Article(s)Patched Build
Windows Server 2022KB5087545 (cumulative) / KB5087424 (hotpatch)20348.5139 / 20348.5074
Windows Server 2025KB5087539 (cumulative) / KB5087423 (hotpatch)26100.32860 / 26100.32772
Windows Server 2022, 23H2 EditionKB508754125398.2330
Windows Server 2019 / Windows 10 v1809KB508753817763.8755
Windows Server 2016 / Windows 10 v1607KB508753714393.9140
Windows Server 2012 R2KB50874719600.23181
Windows Server 2012KB50874709200.26079
Windows 11 26H1KB508954828000.2113
Windows 11 24H2 / 25H2KB5089549 (cumulative) / KB5089466 (hotpatch)26100.8457 / 26100.8390 (24H2); 26200.8457 / 26200.8390 (25H2)
Windows 11 23H2KB508742022631.7079
Windows 10 21H2 / 22H2KB508754419044.7291 / 19045.7291

A noteworthy aspect of this release is the availability of hotpatch updates for Windows Server 2022, Windows Server 2025, and Windows 11 24H2/25H2. Hotpatch updates (e.g., KB5087424, KB5087423, KB5089466) apply the security fix in memory without requiring a full reboot. The hotpatch builds are slightly lower (e.g., 20348.5074 vs. 20348.5139) because they carry only the security delta, while the cumulative update also bundles non security quality improvements. This is particularly valuable for server environments where uptime is critical.

All updates are available through Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog. Customer action is marked as Required for every affected product, meaning administrators should verify installation across their fleet. No alternative workarounds are documented by the vendor.

Affected Systems and Versions

The vulnerability affects the Win32K GRFX component across all currently supported Windows client and server platforms. Specific affected versions and their target patched builds include:

Windows Client:

  • Windows 11 26H1 (patched at build 28000.2113)
  • Windows 11 24H2 (patched at build 26100.8457)
  • Windows 11 25H2 (patched at build 26200.8457)
  • Windows 11 23H2 (patched at build 22631.7079)
  • Windows 10 22H2 (patched at build 19045.7291)
  • Windows 10 21H2 (patched at build 19044.7291)
  • Windows 10 v1809 (patched at build 17763.8755)
  • Windows 10 v1607 (patched at build 14393.9140)

Windows Server:

  • Windows Server 2025 (patched at build 26100.32860)
  • Windows Server 2022, 23H2 Edition (patched at build 25398.2330)
  • Windows Server 2022 (patched at build 20348.5139)
  • Windows Server 2019 (patched at build 17763.8755)
  • Windows Server 2016 (patched at build 14393.9140)
  • Windows Server 2012 R2 (patched at build 9600.23181)
  • Windows Server 2012 (patched at build 9200.26079)

Any system running a build number lower than the patched build for its respective version is vulnerable.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization