Introduction
A type confusion flaw in the Windows Win32K ICOMP kernel subsystem gives any locally authenticated user with low privileges a reliable path to SYSTEM, with no user interaction required and low attack complexity. Disclosed as part of Microsoft's May 2026 Patch Tuesday alongside 119 other fixes, CVE-2026-35417 carries a CVSS 3.1 score of 7.8 and an "Exploitation More Likely" assessment from Microsoft, making it a priority for any organization managing Windows endpoints or servers.
Technical Information
Root Cause: Type Confusion in Win32K ICOMP
The vulnerability is rooted in a type confusion condition (CWE-843) within the Win32K ICOMP component. Win32k is the kernel mode driver responsible for the Windows graphical subsystem, handling window management, GDI operations, and related system calls. Type confusion occurs when the kernel treats a memory object as a type it was not intended to be, allowing an attacker to corrupt kernel data structures in a controlled manner.
Microsoft's advisory classifies this as "Access of Resource Using Incompatible Type," meaning the ICOMP code path accesses an internal resource using an incompatible type, which can be triggered by a locally authenticated user. Because Win32k operates in kernel mode, successful exploitation grants the attacker SYSTEM level privileges.
CVSS Vector Breakdown
The full CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Local | Attacker must have local code execution |
| Attack Complexity | Low | No special conditions; repeatable exploitation |
| Privileges Required | Low | Standard user account sufficient |
| User Interaction | None | No victim action needed |
| Scope | Unchanged | Impact confined to the vulnerable component's authority |
| Confidentiality | High | Full read access to system data |
| Integrity | High | Full write access to system data |
| Availability | High | Complete denial of service possible |
Attack Flow
Exploitation of CVE-2026-35417 would follow a local privilege escalation pattern:
- Initial Access: The attacker obtains a low privilege foothold on a Windows system through phishing, credential theft, remote access, or another initial access technique.
- Trigger the Type Confusion: The attacker crafts specific sequences of GDI or window management API calls targeting the Win32k ICOMP subsystem. These calls cause the kernel to misinterpret a memory object's type within the ICOMP code path.
- Kernel Memory Corruption: By carefully controlling the layout and contents of the confused object, the attacker corrupts kernel memory structures. This can redirect execution flow or overwrite security tokens.
- Privilege Escalation: The attacker achieves code execution in kernel context or modifies their process token to gain SYSTEM privileges, completing the escalation from a standard user to full system control.
Because Win32K is a closed source kernel mode driver, no public source code diff or vulnerable code snippet is available. The fix is delivered entirely through binary patches.
Patch Information
Microsoft released an official fix for CVE-2026-35417 on May 12, 2026, as part of the May 2026 Patch Tuesday security rollout. The MSRC advisory marks the Remediation Level as "Official Fix" and the Exploit Code Maturity as "Unproven" at the time of publication.
The following table maps each KB article to the affected products and patched build numbers:
| KB Article | Affected Product(s) | Patched Build |
|---|---|---|
| KB5089548 | Windows 11 26H1 (x64, ARM64) | 10.0.28000.2113 |
| KB5089549 | Windows 11 24H2 / 25H2 (x64, ARM64) | 10.0.26100.8457 / 10.0.26200.8457 |
| KB5089466 | Windows 11 24H2 / 25H2 (Hotpatch) | 10.0.26100.8390 / 10.0.26200.8390 |
| KB5087420 | Windows 11 23H2 (x64, ARM64) | 10.0.22631.7079 |
| KB5087544 | Windows 10 21H2 / 22H2 (x64, ARM64, 32 bit) | 10.0.19044.7291 / 10.0.19045.7291 |
| KB5087539 | Windows Server 2025 | 10.0.26100.32860 |
| KB5087423 | Windows Server 2025 (Hotpatch) | 10.0.26100.32772 |
| KB5087541 | Windows Server 2022, 23H2 Edition (Server Core) | 10.0.25398.2330 |
| KB5087545 | Windows Server 2022 (full, Server Core) | 10.0.20348.5139 |
| KB5087424 | Windows Server 2022 (Hotpatch) | 10.0.20348.5074 |
| KB5087538 | Windows Server 2019 / Windows 10 1809 (x64, 32 bit) | 10.0.17763.8755 |
Several products received Security Hotpatch Updates (KB5089466, KB5087423, KB5087424) that can be applied without a full reboot, reducing operational downtime. These hotpatch KBs deliver the same security fix but target a slightly different build number reflecting the hotpatch delta.
Known deployment issue: Administrators deploying KB5087420 for Windows 11 Version 23H2 should be aware that devices with specific BitLocker Group Policy configurations and PCR7 binding set to "Not Possible" may require a BitLocker recovery key on the first restart. Ensure BitLocker recovery keys are escrowed and accessible before deploying the update.
To apply the fix, install the relevant cumulative update through Windows Update, WSUS, or by downloading the standalone package from the Microsoft Update Catalog.
The vulnerability is also tracked in the GitHub Advisory Database under GHSA-3wc2-mwpc-hr6w.
Detection Methods
Network Based Detection via Snort IDS/IPS
Cisco Talos released Snort rules on May 12, 2026 covering multiple vulnerabilities from this Patch Tuesday cycle, including CVE-2026-35417:
- Snort 2: SIDs 1:66438 through 1:66445, 1:66451 through 1:66460, and 1:66470 through 1:66476
- Snort 3: SIDs 1:301494 through 1:301497, 1:301500 through 1:301506, 1:66472 through 1:66473, and 1:66476
The Talos blog does not provide per CVE SID mappings for this release; these ranges collectively cover multiple May 2026 Patch Tuesday vulnerabilities. Cisco Security Firewall customers should update their Security Rule Update (SRU), while open source Snort Subscriber Ruleset users should download the latest rule pack from Snort.org. While this is fundamentally a local privilege escalation vulnerability, Snort rules may detect reconnaissance, exploitation attempts, or related post exploitation network activity in environments where remote access protocols like RDP are in use.
Vulnerability Scanning with Qualys
Qualys released QIDs for the May 2026 Patch Tuesday cycle. The full QQL query for identifying systems missing May 2026 patches is:
vulnerabilities.vulnerability: ( qid: 110525 or qid: 110526 or qid: 387304 or qid: 387305 or qid: 5012492 or qid: 92384 or qid: 92385 or qid: 92386 or qid: 92387 or qid: 92388 or qid: 92390 or qid: 92392 or qid: 92393 or qid: 92394 or qid: 92396 )
QIDs 92385 and 92386, as suggested by upstream analysis, should be used to filter for systems specifically affected by Win32k related updates including CVE-2026-35417.
Endpoint and Behavioral Detection
Since successful exploitation elevates an attacker from a low privileged user to SYSTEM, endpoint detection strategies are critical:
- Unexpected privilege transitions: Monitor for processes that unexpectedly escalate from standard user privileges to SYSTEM, especially those interacting heavily with the Win32k kernel subsystem (
win32kfull.sys,win32kbase.sys). - Anomalous Win32k system call patterns: Type confusion exploits in Win32k typically involve crafting specific sequences of GDI or window management API calls. Look for unusual patterns of Win32k related syscalls from processes that would not normally make them.
- Process lineage anomalies: Watch for low integrity processes spawning high integrity child processes, for example a user mode application spawning
cmd.exeorpowershell.exerunning as SYSTEM.
Patch Verification
Defenders can verify whether systems are protected by confirming that the relevant May 2026 security updates are installed. For example, Windows 11 Version 24H2 systems should be at build 10.0.26100.8457 or later (KB5089549), and Windows Server 2025 should be at build 10.0.26100.32860 or later (KB5087539).
Affected Systems and Versions
The vulnerability affects a broad range of Windows client and server operating systems across 32 bit, x64, and ARM64 architectures:
| Product | Platform | Vulnerable Version Range | Fixed In Build |
|---|---|---|---|
| Windows 10 Version 1809 | 32 bit, x64 | 10.0.17763.0 through 10.0.17763.8754 | 10.0.17763.8755 |
| Windows 10 Version 21H2 | 32 bit, ARM64, x64 | 10.0.19044.0 through 10.0.19044.7290 | 10.0.19044.7291 |
| Windows 10 Version 22H2 | 32 bit, ARM64, x64 | 10.0.19045.0 through 10.0.19045.7290 | 10.0.19045.7291 |
| Windows 11 Version 23H2 | x64 | 10.0.22631.0 through 10.0.22631.7078 | 10.0.22631.7079 |
| Windows 11 Version 24H2 | ARM64, x64 | 10.0.26100.0 through 10.0.26100.8456 | 10.0.26100.8457 |
| Windows 11 Version 25H2 | ARM64, x64 | 10.0.26200.0 through 10.0.26200.8456 | 10.0.26200.8457 |
| Windows 11 Version 26H1 | ARM64, x64 | 10.0.28000.0 through 10.0.28000.2112 | 10.0.28000.2113 |
| Windows Server 2019 | x64 | 10.0.17763.0 through 10.0.17763.8754 | 10.0.17763.8755 |
| Windows Server 2022 | x64 | 10.0.20348.0 through 10.0.20348.5138 | 10.0.20348.5139 |
| Windows Server 2022, 23H2 Edition | x64 | 10.0.25398.0 through 10.0.25398.2329 | 10.0.25398.2330 |
| Windows Server 2025 | x64 | 10.0.26100.0 through 10.0.26100.32859 | 10.0.26100.32860 |
References
- NVD Entry for CVE-2026-35417
- MSRC Security Update Guide: CVE-2026-35417
- CVE Record: CVE-2026-35417
- GitHub Advisory: GHSA-3wc2-mwpc-hr6w
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Cisco Talos: Microsoft Patch Tuesday May 2026
- Qualys: Microsoft Patch Tuesday May 2026 Security Update Review
- KB5089548: Windows 11 26H1 (OS Build 28000.2113)
- KB5089549: Windows 11 24H2/25H2 (OS Builds 26200.8457 and 26100.8457)
- KB5087420: Windows 11 23H2 (OS Build 22631.7079)
- KB5087544: Windows 10 21H2/22H2 (OS Builds 19045.7291 and 19044.7291)
- KB5087538: Windows Server 2019 / Windows 10 1809 (OS Build 17763.8755)
- KB5087539: Windows Server 2025 (OS Build 26100.32860)
- KB5087545: Windows Server 2022 (OS Build 20348.5139)
- KB5087541: Windows Server 2022 23H2 (OS Build 25398.2330)
- Ten Forums: Microsoft May/June 2026 Security Updates
- Windows Forum: CVE-2026-35417



