Introduction
A use after free in the Windows Win32K graphics kernel subsystem, patched in May 2026, gives any local user with a basic account the ability to escalate to SYSTEM privileges. For organizations running multi user Windows environments or terminal servers, CVE-2026-34347 represents a meaningful post compromise escalation primitive that warrants prompt patching, even though exploitation requires winning a race condition and no in the wild activity has been observed.
Technical Information
Root Cause
CVE-2026-34347 is classified as CWE-416 (Use After Free) within the Windows Win32K GRFX component. Win32K is the kernel mode portion of the Windows graphics subsystem responsible for window management, GDI rendering, and related operations. The GRFX subcomponent handles graphics object management at the kernel level.
The core issue is that a kernel mode graphics object was being referenced after its backing memory had already been freed. This creates a dangling pointer: a reference that points to memory that may have been reallocated for a different purpose. If an attacker can influence what occupies that freed memory region at the precise moment the stale pointer is dereferenced, they can achieve arbitrary kernel memory corruption.
CVSS Breakdown
The full CVSS 3.1 vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 7.0.
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Local | Attacker must have local system access |
| Attack Complexity | High | Attacker must win a race condition |
| Privileges Required | Low | A standard, non administrative user account suffices |
| User Interaction | None | No victim action is needed |
| Scope | Unchanged | The impacted component is the same as the vulnerable component |
| Confidentiality / Integrity / Availability | High / High / High | Full compromise of the host |
Attack Flow
Based on the vulnerability characteristics, exploitation would follow this general sequence:
-
Initial Access: The attacker obtains code execution on the target system under a low privileged user account. This could be through a compromised user session, a phishing payload, or lateral movement from another compromised host.
-
Triggering the Free: The attacker interacts with the Win32K GRFX subsystem through standard Windows API calls to create and manipulate graphics objects. The goal is to trigger the code path where a graphics object is freed while a reference to it still exists in kernel memory.
-
Winning the Race: Because the vulnerability involves a race condition (reflected in the High attack complexity), the attacker must precisely time their operations so that the freed memory is accessed through the dangling pointer before the system naturally cleans up or reassigns the reference. This likely involves concurrent threads or carefully timed system calls.
-
Heap Spray or Object Replacement: After the target object is freed, the attacker attempts to reclaim the freed memory with attacker controlled data. If the kernel allocator places a new, attacker crafted object in the same memory location, the subsequent dereference of the dangling pointer will operate on attacker controlled data.
-
Privilege Escalation: By controlling the contents of the reallocated memory, the attacker can corrupt kernel structures (such as token objects or process structures) to elevate their process to SYSTEM integrity level.
A successful exploit grants SYSTEM privileges, which means full control over the host: the ability to install software, access all files, create new accounts, and pivot further into the network.
Exploitability Assessment
Microsoft rates this vulnerability as "Exploitation Less Likely" with exploit code maturity classified as "Unproven." The race condition requirement is a meaningful barrier; it introduces unreliability into any exploit attempt and may require many iterations to succeed. That said, Win32K use after free vulnerabilities have a long history of successful exploitation in Windows, and skilled attackers have repeatedly demonstrated the ability to stabilize race condition based kernel exploits.
Patch Information
Microsoft released an official fix for CVE-2026-34347 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level as "Official Fix," meaning a complete vendor solution is available.
The patch corrects the object lifetime management in Win32K GRFX to prevent the stale reference from occurring. Because Win32K is a closed source Windows kernel component, no source level diff is publicly available. The fix is distributed exclusively through Microsoft's cumulative and hotpatch update channels.
The affected product matrix is broad, spanning legacy and modern Windows versions:
| Platform | KB Article(s) | Patched Build |
|---|---|---|
| Windows Server 2022 | KB5087545 (cumulative) / KB5087424 (hotpatch) | 20348.5139 / 20348.5074 |
| Windows Server 2025 | KB5087539 (cumulative) / KB5087423 (hotpatch) | 26100.32860 / 26100.32772 |
| Windows Server 2022, 23H2 Edition | KB5087541 | 25398.2330 |
| Windows Server 2019 / Windows 10 v1809 | KB5087538 | 17763.8755 |
| Windows Server 2016 / Windows 10 v1607 | KB5087537 | 14393.9140 |
| Windows Server 2012 R2 | KB5087471 | 9600.23181 |
| Windows Server 2012 | KB5087470 | 9200.26079 |
| Windows 11 26H1 | KB5089548 | 28000.2113 |
| Windows 11 24H2 / 25H2 | KB5089549 (cumulative) / KB5089466 (hotpatch) | 26100.8457 / 26100.8390 (24H2); 26200.8457 / 26200.8390 (25H2) |
| Windows 11 23H2 | KB5087420 | 22631.7079 |
| Windows 10 21H2 / 22H2 | KB5087544 | 19044.7291 / 19045.7291 |
A noteworthy aspect of this release is the availability of hotpatch updates for Windows Server 2022, Windows Server 2025, and Windows 11 24H2/25H2. Hotpatch updates (e.g., KB5087424, KB5087423, KB5089466) apply the security fix in memory without requiring a full reboot. The hotpatch builds are slightly lower (e.g., 20348.5074 vs. 20348.5139) because they carry only the security delta, while the cumulative update also bundles non security quality improvements. This is particularly valuable for server environments where uptime is critical.
All updates are available through Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog. Customer action is marked as Required for every affected product, meaning administrators should verify installation across their fleet. No alternative workarounds are documented by the vendor.
Affected Systems and Versions
The vulnerability affects the Win32K GRFX component across all currently supported Windows client and server platforms. Specific affected versions and their target patched builds include:
Windows Client:
- Windows 11 26H1 (patched at build 28000.2113)
- Windows 11 24H2 (patched at build 26100.8457)
- Windows 11 25H2 (patched at build 26200.8457)
- Windows 11 23H2 (patched at build 22631.7079)
- Windows 10 22H2 (patched at build 19045.7291)
- Windows 10 21H2 (patched at build 19044.7291)
- Windows 10 v1809 (patched at build 17763.8755)
- Windows 10 v1607 (patched at build 14393.9140)
Windows Server:
- Windows Server 2025 (patched at build 26100.32860)
- Windows Server 2022, 23H2 Edition (patched at build 25398.2330)
- Windows Server 2022 (patched at build 20348.5139)
- Windows Server 2019 (patched at build 17763.8755)
- Windows Server 2016 (patched at build 14393.9140)
- Windows Server 2012 R2 (patched at build 9600.23181)
- Windows Server 2012 (patched at build 9200.26079)
Any system running a build number lower than the patched build for its respective version is vulnerable.
References
- MSRC Advisory: CVE-2026-34347
- NVD Entry: CVE-2026-34347
- CVE Record: CVE-2026-34347
- Microsoft Support: KB5087545
- Tenable: Microsoft's May 2026 Patch Tuesday
- Zero Day Initiative: May 2026 Security Update Review
- CIS Advisory: Critical Patches for Microsoft Products, May 12, 2026
- BleepingComputer: Microsoft May 2026 Patch Tuesday



