Windows Kernel Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-33841May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A heap-based buffer overflow in the Windows Kernel allows an authorized user with local access to elevate their privileges on the system. The vulnerability requires local execution; remote exploitation is not possible.

What this means

What could happen

A user logged into a Windows system could exploit this to gain administrative access, potentially allowing them to modify control logic, disable monitoring systems, or disrupt normal operations on HMIs and engineering workstations.

Who's at risk

This affects any organization using Windows 10, Windows 11, or Windows Server 2022/2025 as HMI (human-machine interface) systems, engineering workstations, or data historian servers. Particularly critical for organizations where these workstations have privileged access to control systems or network connectivity to PLCs and safety systems.

How it could be exploited

An attacker with an active user account on the system executes specially crafted code that triggers the heap-based buffer overflow in the Windows Kernel, elevating their privileges from standard user to administrator or system level. This could then be used to modify sensitive settings on OT systems managed from that workstation.

Prerequisites

Local user account on the affected Windows system
Ability to execute code on the system

Low complexity attackLocal execution required (not remotely exploitable)Requires valid user credentialsAffects high-privilege administrative functions

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (19)

19 with fix

ProductAffected VersionsFix Status

Windows 11 Version 24H2 for ARM64-based SystemsAll versionsBuild 10.0.26100.8457

Windows 11 Version 24H2 for x64-based SystemsAll versionsBuild 10.0.26100.8457

Windows Server 2025All versionsBuild 10.0.26100.32860

Windows Server 2022All versionsBuild 10.0.20348.5139

Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply the 2026-May Windows security update to all affected Windows systems (Windows 10, 11, and Server 2022/2025)

HOTFIXPrioritize patching Windows systems that serve as engineering workstations or HMI interfaces with access to control systems

Long-term hardening

0/2

HARDENINGRestrict local administrative console access to Windows workstations to only authorized personnel

HARDENINGImplement application whitelisting or execution policy controls to restrict unauthorized code execution on engineering workstations

CVEs (1)

CVE-2026-33841

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2f9860e2-d27a-4a99-a382-f33bbae610c5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.