Win32k Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-33840May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A use-after-free vulnerability in Windows Win32K graphics subsystem (ICOMP component) allows a user with a valid local account to execute code with elevated system privileges. Affects Windows Server 2025 and Windows 11 versions 24H2, 25H2, and 26H1 on both x64 and ARM64 systems. Microsoft has released security patches.

What this means

What could happen

An attacker with a valid user account on a Windows system could run arbitrary commands with elevated (administrator) privileges, gaining full control of the machine including any control system software running on it.

Who's at risk

Windows Server 2025 and Windows 11 systems (versions 24H2, 25H2, 26H1) running on x64 and ARM64 architectures. This affects any operator workstations, engineering stations, or HMI systems running these Windows versions, as well as Windows Server systems used for process monitoring or automation support.

How it could be exploited

An attacker with local access and valid user credentials (e.g., an operator or maintenance user) could exploit a use-after-free flaw in the Windows graphics subsystem to escape the user privilege level and gain system-level access. This requires the attacker to already have a local login session.

Prerequisites

Valid user account credentials on the Windows system
Local login access (physical or remote desktop session)
Windows Server 2025, Windows 11 Version 24H2, 25H2, or 26H1

Local exploitation onlyRequires valid user credentialsLow complexity attackHigh impact on system integrity

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32860

Windows 11 Version 25H2 for ARM64-based SystemsAll versionsBuild 10.0.26200.8457

Windows 11 Version 25H2 for x64-based SystemsAll versionsBuild 10.0.26200.8457

Windows 11 Version 24H2 for ARM64-based SystemsAll versionsBuild 10.0.26100.8457

Windows 11 Version 24H2 for x64-based SystemsAll versionsBuild 10.0.26100.8457

Windows Server 2025All versionsBuild 10.0.26100.32860

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.2113

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.2113

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict local login and Remote Desktop access to only necessary personnel with strong, unique passwords

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the May 2026 Windows security update to all affected systems

Long-term hardening

0/1

HARDENINGMonitor and audit local account creation and privileged account usage for unauthorized activity

CVEs (1)

CVE-2026-33840

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b80d882b-c4aa-4ee9-ad7f-949903a1e3c9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.