Windows Win32k Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-34333May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Use after free in Windows Win32K graphics component allows an authorized local attacker to elevate privileges. Exploitation is assessed as less likely.

What this means

What could happen

An attacker with a local user account on an HMI, engineering workstation, or SCADA server could gain administrator privileges and run arbitrary commands with system-level access, potentially modifying process control logic or disrupting operations.

Who's at risk

This vulnerability affects all supported versions of Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025. IT managers at utilities should prioritize patching HMI (Human-Machine Interface) computers, engineering workstations used for SCADA configuration, and domain controllers. Any Windows-based system running industrial software (Wonderware, FactoryTalk, etc.) is potentially at risk if an attacker obtains local user credentials or compromises a user's session.

How it could be exploited

An attacker with a valid local user account on a Windows system exploits a use-after-free bug in the Win32K graphics component to escalate from user privileges to system/administrator privileges. The attacker would need to trigger a specific code path in the graphics driver to cause memory corruption, then execute arbitrary code with elevated privileges.

Prerequisites

Valid local user account on the target Windows system
Local code execution capability (ability to run applications on the system)

Affects all supported Windows versionsLow attack complexity once local access is obtainedHigh privilege elevation impact if exploitedHMI and engineering workstations are common attack targets

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/9

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

Windows Server 2019

HOTFIXUpdate Windows Server 2019 (all installations) to Build 10.0.17763.8755 or later

Windows Server 2022

HOTFIXUpdate Windows Server 2022 (all installations) to Build 10.0.20348.5139 or later

Windows Server 2025

HOTFIXUpdate Windows Server 2025 (all installations) to Build 10.0.26100.32860 or later

All products

HOTFIXUpdate Windows 10 Version 1809 (32-bit and x64) to Build 10.0.17763.8755 or later

HOTFIXUpdate Windows 10 Version 21H2 (all architectures) to Build 10.0.19044.7291 or later

HOTFIXUpdate Windows 10 Version 22H2 (all architectures) to Build 10.0.19045.7291 or later

HOTFIXUpdate Windows 11 Version 23H2 (all architectures) to Build 10.0.22631.7079 or later

HOTFIXUpdate Windows 11 Version 24H2 and later (all architectures) to the corresponding May 2026 security update or later

Long-term hardening

0/1

HARDENINGRestrict local user account creation on HMIs and engineering workstations to authorized personnel only

CVEs (1)

CVE-2026-34333

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fa1a1314-8932-450a-9732-29aaf0f827a3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.