Windows Win32k Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-32222Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Windows Win32K ICOMP allows a locally authenticated user to elevate privileges through untrusted pointer dereference. An authorized attacker could trigger this flaw to execute arbitrary code at kernel level and take full control of the system.

What this means

What could happen

A user with local access to a Windows system could execute commands with elevated privileges, potentially compromising the integrity of the entire device and any systems it manages or communicates with.

Who's at risk

This vulnerability affects Windows 11 systems (versions 24H2, 25H2, 26H1) and Windows Server 2025 across both x64 and ARM architectures. Any organization running these Windows systems as HMI (Human-Machine Interface) workstations, engineering workstations, or data servers used in OT environments should prioritize patching, as compromise could allow an attacker to modify industrial control parameters, disable safety interlocks, or disrupt remote management capabilities.

How it could be exploited

An attacker with local user access executes specially crafted code that triggers an untrusted pointer dereference in the Windows Win32K driver, causing the kernel to execute attacker-controlled instructions at elevated privilege level.

Prerequisites

Local user account on the affected Windows system
Code execution capability as a standard user

Low complexity attackLow authentication required (local user)High impact to confidentiality, integrity, and availability

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1836

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32690

Windows 11 Version 25H2 for ARM systemsAll versionsBuild 10.0.26200.8246

Windows 11 Version 25H2 for x64-based SystemsAll versionsBuild 10.0.26200.8246

Windows 11 Version 24H2 for ARM64-based SystemsAll versionsBuild 10.0.26100.32690

Windows 11 Version 24H2 for x64-based SystemsAll versionsBuild 10.0.26100.32690

Windows Server 2025All versionsBuild 10.0.26100.32690

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2025

HOTFIXInstall the April 2026 Windows security update for your version and architecture (Windows 11 26H1/25H2/24H2 or Windows Server 2025) to patch the Win32K vulnerability

CVEs (1)

CVE-2026-32222

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/39c27949-4921-427f-9bf7-928b6e87c746

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.