Win32k Elevation of Privilege Vulnerability

Plan PatchCVSS 7CVE-2026-34331May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A race condition vulnerability in Windows Win32k graphics component (GRFX) allows a user with a local account to escalate privileges to administrator or system level. The vulnerability stems from improper synchronization of shared resources. Exploitation is assessed as unlikely, but the fix is available in the May 2026 security update.

What this means

What could happen

An attacker with a local user account on a Windows computer or server could gain higher-level privileges and potentially control the entire system or critical applications running on it.

Who's at risk

Windows 10 (all versions from 1607 to 22H2) and Windows 11 (all versions from 23H2 to 26H1) on 32-bit, 64-bit, and ARM64 systems; Windows Server 2016, 2019, 2022, and 2025 installations. This affects any organization using these Windows versions as SCADA workstations, historian servers, engineering stations, or auxiliary IT systems in industrial facilities.

How it could be exploited

An attacker who already has a user account and can log into the Windows system would exploit a race condition in the Win32k graphics component to escalate their privileges from regular user to administrator or system level without additional credentials.

Prerequisites

Local user account on the affected Windows system
Ability to execute code locally

affects Windows systems widely deployed in ICS networksrequires local user account (moderately reduces risk in restricted environments)race condition exploitation may be non-deterministic

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the May 2026 security update or later to all affected Windows 10, Windows 11, and Windows Server systems

Long-term hardening

0/2

HARDENINGRestrict local user account logon privileges to only necessary personnel; audit and remove unnecessary local user accounts

HARDENINGMonitor systems for suspicious elevation of privilege events in Windows Event Viewer (Security log Event IDs 4672, 4688)

CVEs (1)

CVE-2026-34331

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/68fdd3e4-1510-4c92-b6dc-a8214ef530d6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.