Windows Win32k Elevation of Privilege Vulnerability

Plan PatchCVSS 7CVE-2026-34347May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Use-after-free vulnerability in Windows Win32k graphics subsystem allows an authorized attacker to elevate privileges locally. The vulnerability exists in the graphics rendering kernel module and requires user-level execution context to trigger.

What this means

What could happen

An attacker with a user account on a Windows system could run commands with administrative privileges, potentially allowing them to modify industrial software configurations, disable monitoring systems, or install persistence mechanisms on critical workstations or servers.

Who's at risk

Windows system administrators and operators of any industrial control system running on Windows-based HMI workstations, data historians, or engineering workstations. This includes water utilities, electric utilities, manufacturing plants, and other facilities using Windows-based automation software. Critical if these systems are used to manage PLCs, SCADA systems, or other process control equipment.

How it could be exploited

An attacker with valid user credentials on the Windows system executes a specially crafted application that triggers a use-after-free condition in the Win32k graphics driver. This memory corruption allows the attacker to escape the user-level privilege context and execute code with administrative rights.

Prerequisites

Valid user account credentials on the target Windows system
Local execution capability (attacker must run code on the machine, not remotely)
Graphics subsystem must be active (normal on all Windows systems with GUI)

Local privilege escalationRequires valid credentialsMedium complexity exploitationAffects all recent Windows versions

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Microsoft's May 2026 security update to all affected Windows systems

Long-term hardening

0/3

HARDENINGRestrict user account creation and reduce the number of local user accounts with interactive logon rights to Windows HMI workstations

HARDENINGImplement application whitelisting on engineering workstations and HMI servers to prevent unauthorized executables from running

HARDENINGMonitor privileged account activity and process creation on Windows servers and workstations managing industrial processes

CVEs (1)

CVE-2026-34347

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0ae9ebb2-622d-4795-bad8-fa0f4b20bfdb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.