Win32k Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-34330May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

An integer overflow vulnerability in the Windows Win32K graphics subsystem allows an authorized local user to escalate privileges to SYSTEM level. The Win32K component is core to Windows graphical operations and is used by most applications, including industrial control and HMI software. Microsoft has released patches for Windows 10 Version 1607 through Windows 11 Version 26H1, and Windows Server 2016 through 2025. Exploitation is assessed as unlikely in the wild, but the vulnerability requires only local user access and no special interactions to trigger.

What this means

What could happen

A user with local access to a Windows system could exploit this Win32k graphics vulnerability to run commands with system-level privileges, potentially allowing them to modify industrial control software, steal credentials, or disable safety systems on the machine.

Who's at risk

Windows IT environments that support OT operations, including operator workstations, engineering PCs, and servers running industrial software. This affects Windows 10 (all versions 1607 through 22H2), Windows 11 (all versions 23H2 through 26H1), Windows Server 2016, 2019, 2022, and 2025. Any facility where SCADA, HMI, or data historian software runs on Windows is at risk if a user with local access is compromised or malicious.

How it could be exploited

An attacker with a local user account on the Windows system triggers an integer overflow in the Win32k graphics subsystem through a specially crafted API call. This allows the attacker to escalate from user-level permissions to system-level (SYSTEM) privileges, gaining full control over the machine and any OT software running on it.

Prerequisites

Local user account on the Windows system
Ability to execute code or interact with the Win32k API on the affected system

Requires local access (not remotely exploitable)Requires valid user credentialsAffects core graphics subsystem used by all Windows processesImpacts multiple Windows versions across broad timeline

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the May 2026 Windows security update to all affected systems. Check Windows Update or WSUS for the latest cumulative update matching your Windows version (e.g., Build 10.0.19045.7291 for Windows 10 22H2).

Long-term hardening

0/2

HARDENINGRestrict local system access: enforce strong authentication and limit physical or remote console access to engineering workstations to only authorized personnel with a business need.

HARDENINGApply principle of least privilege: ensure users and service accounts run with minimal required permissions. Disable or remove local administrator accounts where not needed.

CVEs (1)

CVE-2026-34330

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9af9d668-fb9c-4843-b472-94cdeb02ca9c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.