ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-35417 — Windows Win32k ICOMP Type Confusion Privilege Escalation

A brief summary of CVE-2026-35417, a type confusion vulnerability in the Windows Win32K ICOMP kernel subsystem that enables local privilege escalation to SYSTEM. Includes patch details, detection methods, and affected version matrix.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Quick Look: CVE-2026-35417 — Windows Win32k ICOMP Type Confusion Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A type confusion flaw in the Windows Win32K ICOMP kernel subsystem gives any locally authenticated user with low privileges a reliable path to SYSTEM, with no user interaction required and low attack complexity. Disclosed as part of Microsoft's May 2026 Patch Tuesday alongside 119 other fixes, CVE-2026-35417 carries a CVSS 3.1 score of 7.8 and an "Exploitation More Likely" assessment from Microsoft, making it a priority for any organization managing Windows endpoints or servers.

Technical Information

Root Cause: Type Confusion in Win32K ICOMP

The vulnerability is rooted in a type confusion condition (CWE-843) within the Win32K ICOMP component. Win32k is the kernel mode driver responsible for the Windows graphical subsystem, handling window management, GDI operations, and related system calls. Type confusion occurs when the kernel treats a memory object as a type it was not intended to be, allowing an attacker to corrupt kernel data structures in a controlled manner.

Microsoft's advisory classifies this as "Access of Resource Using Incompatible Type," meaning the ICOMP code path accesses an internal resource using an incompatible type, which can be triggered by a locally authenticated user. Because Win32k operates in kernel mode, successful exploitation grants the attacker SYSTEM level privileges.

CVSS Vector Breakdown

The full CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H:

MetricValueImplication
Attack VectorLocalAttacker must have local code execution
Attack ComplexityLowNo special conditions; repeatable exploitation
Privileges RequiredLowStandard user account sufficient
User InteractionNoneNo victim action needed
ScopeUnchangedImpact confined to the vulnerable component's authority
ConfidentialityHighFull read access to system data
IntegrityHighFull write access to system data
AvailabilityHighComplete denial of service possible

Attack Flow

Exploitation of CVE-2026-35417 would follow a local privilege escalation pattern:

  1. Initial Access: The attacker obtains a low privilege foothold on a Windows system through phishing, credential theft, remote access, or another initial access technique.
  2. Trigger the Type Confusion: The attacker crafts specific sequences of GDI or window management API calls targeting the Win32k ICOMP subsystem. These calls cause the kernel to misinterpret a memory object's type within the ICOMP code path.
  3. Kernel Memory Corruption: By carefully controlling the layout and contents of the confused object, the attacker corrupts kernel memory structures. This can redirect execution flow or overwrite security tokens.
  4. Privilege Escalation: The attacker achieves code execution in kernel context or modifies their process token to gain SYSTEM privileges, completing the escalation from a standard user to full system control.

Because Win32K is a closed source kernel mode driver, no public source code diff or vulnerable code snippet is available. The fix is delivered entirely through binary patches.

Patch Information

Microsoft released an official fix for CVE-2026-35417 on May 12, 2026, as part of the May 2026 Patch Tuesday security rollout. The MSRC advisory marks the Remediation Level as "Official Fix" and the Exploit Code Maturity as "Unproven" at the time of publication.

The following table maps each KB article to the affected products and patched build numbers:

KB ArticleAffected Product(s)Patched Build
KB5089548Windows 11 26H1 (x64, ARM64)10.0.28000.2113
KB5089549Windows 11 24H2 / 25H2 (x64, ARM64)10.0.26100.8457 / 10.0.26200.8457
KB5089466Windows 11 24H2 / 25H2 (Hotpatch)10.0.26100.8390 / 10.0.26200.8390
KB5087420Windows 11 23H2 (x64, ARM64)10.0.22631.7079
KB5087544Windows 10 21H2 / 22H2 (x64, ARM64, 32 bit)10.0.19044.7291 / 10.0.19045.7291
KB5087539Windows Server 202510.0.26100.32860
KB5087423Windows Server 2025 (Hotpatch)10.0.26100.32772
KB5087541Windows Server 2022, 23H2 Edition (Server Core)10.0.25398.2330
KB5087545Windows Server 2022 (full, Server Core)10.0.20348.5139
KB5087424Windows Server 2022 (Hotpatch)10.0.20348.5074
KB5087538Windows Server 2019 / Windows 10 1809 (x64, 32 bit)10.0.17763.8755

Several products received Security Hotpatch Updates (KB5089466, KB5087423, KB5087424) that can be applied without a full reboot, reducing operational downtime. These hotpatch KBs deliver the same security fix but target a slightly different build number reflecting the hotpatch delta.

Known deployment issue: Administrators deploying KB5087420 for Windows 11 Version 23H2 should be aware that devices with specific BitLocker Group Policy configurations and PCR7 binding set to "Not Possible" may require a BitLocker recovery key on the first restart. Ensure BitLocker recovery keys are escrowed and accessible before deploying the update.

To apply the fix, install the relevant cumulative update through Windows Update, WSUS, or by downloading the standalone package from the Microsoft Update Catalog.

The vulnerability is also tracked in the GitHub Advisory Database under GHSA-3wc2-mwpc-hr6w.

Detection Methods

Network Based Detection via Snort IDS/IPS

Cisco Talos released Snort rules on May 12, 2026 covering multiple vulnerabilities from this Patch Tuesday cycle, including CVE-2026-35417:

  • Snort 2: SIDs 1:66438 through 1:66445, 1:66451 through 1:66460, and 1:66470 through 1:66476
  • Snort 3: SIDs 1:301494 through 1:301497, 1:301500 through 1:301506, 1:66472 through 1:66473, and 1:66476

The Talos blog does not provide per CVE SID mappings for this release; these ranges collectively cover multiple May 2026 Patch Tuesday vulnerabilities. Cisco Security Firewall customers should update their Security Rule Update (SRU), while open source Snort Subscriber Ruleset users should download the latest rule pack from Snort.org. While this is fundamentally a local privilege escalation vulnerability, Snort rules may detect reconnaissance, exploitation attempts, or related post exploitation network activity in environments where remote access protocols like RDP are in use.

Vulnerability Scanning with Qualys

Qualys released QIDs for the May 2026 Patch Tuesday cycle. The full QQL query for identifying systems missing May 2026 patches is:

vulnerabilities.vulnerability: ( qid: 110525 or qid: 110526 or qid: 387304 or qid: 387305 or qid: 5012492 or qid: 92384 or qid: 92385 or qid: 92386 or qid: 92387 or qid: 92388 or qid: 92390 or qid: 92392 or qid: 92393 or qid: 92394 or qid: 92396 )

QIDs 92385 and 92386, as suggested by upstream analysis, should be used to filter for systems specifically affected by Win32k related updates including CVE-2026-35417.

Endpoint and Behavioral Detection

Since successful exploitation elevates an attacker from a low privileged user to SYSTEM, endpoint detection strategies are critical:

  • Unexpected privilege transitions: Monitor for processes that unexpectedly escalate from standard user privileges to SYSTEM, especially those interacting heavily with the Win32k kernel subsystem (win32kfull.sys, win32kbase.sys).
  • Anomalous Win32k system call patterns: Type confusion exploits in Win32k typically involve crafting specific sequences of GDI or window management API calls. Look for unusual patterns of Win32k related syscalls from processes that would not normally make them.
  • Process lineage anomalies: Watch for low integrity processes spawning high integrity child processes, for example a user mode application spawning cmd.exe or powershell.exe running as SYSTEM.

Patch Verification

Defenders can verify whether systems are protected by confirming that the relevant May 2026 security updates are installed. For example, Windows 11 Version 24H2 systems should be at build 10.0.26100.8457 or later (KB5089549), and Windows Server 2025 should be at build 10.0.26100.32860 or later (KB5087539).

Affected Systems and Versions

The vulnerability affects a broad range of Windows client and server operating systems across 32 bit, x64, and ARM64 architectures:

ProductPlatformVulnerable Version RangeFixed In Build
Windows 10 Version 180932 bit, x6410.0.17763.0 through 10.0.17763.875410.0.17763.8755
Windows 10 Version 21H232 bit, ARM64, x6410.0.19044.0 through 10.0.19044.729010.0.19044.7291
Windows 10 Version 22H232 bit, ARM64, x6410.0.19045.0 through 10.0.19045.729010.0.19045.7291
Windows 11 Version 23H2x6410.0.22631.0 through 10.0.22631.707810.0.22631.7079
Windows 11 Version 24H2ARM64, x6410.0.26100.0 through 10.0.26100.845610.0.26100.8457
Windows 11 Version 25H2ARM64, x6410.0.26200.0 through 10.0.26200.845610.0.26200.8457
Windows 11 Version 26H1ARM64, x6410.0.28000.0 through 10.0.28000.211210.0.28000.2113
Windows Server 2019x6410.0.17763.0 through 10.0.17763.875410.0.17763.8755
Windows Server 2022x6410.0.20348.0 through 10.0.20348.513810.0.20348.5139
Windows Server 2022, 23H2 Editionx6410.0.25398.0 through 10.0.25398.232910.0.25398.2330
Windows Server 2025x6410.0.26100.0 through 10.0.26100.3285910.0.26100.32860

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization