Win32k Elevation of Privilege Vulnerability

Plan Patch7CVE-2026-24285Mar 10, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A use-after-free vulnerability in the Windows Win32k subsystem allows a local, authenticated user to execute code with SYSTEM-level privileges. The vulnerability is in kernel memory management and requires the attacker to have an active user account on the target system and the ability to run arbitrary code. Microsoft rates exploitation as less likely and has released patches across all supported Windows versions.

What this means

What could happen

A user with a local account on a Windows system could exploit this flaw to gain system-level privileges, potentially allowing them to modify critical software, access sensitive data, or disrupt operations on HMI workstations or engineering servers.

Who's at risk

Windows administrators managing Windows 10, Windows 11, and Windows Server systems (2016, 2019, 2022, 2025) in critical environments, particularly HMI workstations, engineering servers, and SCADA host computers that rely on Windows for process visibility or control.

How it could be exploited

An attacker with a local user account runs malicious code that triggers a use-after-free condition in Win32k. Once the kernel memory vulnerability is exploited, the attacker's process can execute with SYSTEM privileges, bypassing access controls.

Prerequisites

Local user account on the Windows system
Ability to execute arbitrary code on the system

Locally exploitableRequires authentication (local user account)High complexity (use-after-free vulnerability)Affects multiple Windows versions

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (25)

25 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8511

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8511

Windows Server 2019All versionsBuild 10.0.17763.8511

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8511

Windows Server 2022All versionsBuild 10.0.20348.4893

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXApply the 2026-Mar security update to all Windows systems (Windows 10, Windows 11, and Windows Server 2016/2019/2022/2025)

Long-term hardening

0/2

HARDENINGRestrict user account creation and disable guest accounts on engineering workstations and HMI servers to limit local attack surface

HARDENINGImplement application whitelisting on critical systems to prevent unauthorized code execution

CVEs (1)

CVE-2026-24285

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16aa9126-4269-4b6a-9f61-d9aa72414e06

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.