Win32k Elevation of Privilege Vulnerability

Plan PatchCVSS 7CVE-2026-33104Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A race condition vulnerability exists in Windows Win32k graphics subsystem (GRFX) that allows concurrent execution with improper synchronization of shared resources. An authorized local user can exploit this timing vulnerability to elevate privileges to system level.

What this means

What could happen

An attacker with a local user account on a Windows machine could exploit a race condition in the graphics subsystem to gain administrative privileges, potentially allowing them to modify system settings, install persistent malware, or alter industrial control configurations if the machine is used for OT monitoring or engineering.

Who's at risk

Organizations running Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2016, 2019, 2022, 2025 on any architecture should be concerned. This affects any Windows machine used for OT engineering workstations, HMI systems, data historian servers, or network monitoring platforms where a standard user account could be compromised or a disgruntled employee has local access.

How it could be exploited

An attacker with a local user account executes a specially crafted sequence of graphics-related operations that exploits a timing vulnerability in the Win32k kernel graphics driver. By winning a race condition in the shared resource handling, the attacker can escalate their privileges from standard user to system/administrator level on the machine.

Prerequisites

Local user account on the Windows machine
Ability to execute code or applications locally
No special administrator credentials required initially

Local privilege escalation requiredRequires local user accountAffects widely deployed Windows versionsCould impact OT engineering and monitoring infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8644

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644

Windows Server 2019All versionsBuild 10.0.17763.8644

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8644

Windows Server 2022All versionsBuild 10.0.20348.5020

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local login and account access to engineering workstations and HMI systems to trusted personnel only, using strong access controls

WORKAROUNDMonitor for suspicious privilege escalation attempts and failed administrative access attempts on OT-adjacent Windows systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXApply the April 2026 Windows security update to all affected Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 systems

Long-term hardening

0/1

HARDENINGImplement application whitelisting on Windows machines used for OT monitoring or engineering to prevent unauthorized application execution

CVEs (1)

CVE-2026-33104

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f14eed7d-9b90-49da-b4df-307db7fb00da

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.