Windows Win32k Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-35417May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A type confusion vulnerability in Windows Win32k (the graphics subsystem kernel component) allows an authorized local user to escalate privileges to SYSTEM level. The vulnerability exists in memory handling within Win32K-ICOMP. Affected systems include all currently supported Windows versions: Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2019, 2022, 2025, including both full and Server Core installations on 32-bit, x64, and ARM64 architectures. Microsoft has released patches for all affected versions.

What this means

What could happen

A user with legitimate access to a Windows workstation or server could exploit a flaw in the Win32k graphics subsystem to gain administrative privileges, potentially allowing them to modify process controls, alter system configurations, or install persistent malware on critical infrastructure systems.

Who's at risk

Windows 10 and Windows 11 workstations, and Windows Server 2019, 2022, and 2025 systems used as HMI servers, historian databases, engineering workstations, or domain controllers in water utilities and municipal electric systems. Also affects any servers providing authentication, remote access, or industrial protocol gateways running affected Windows versions.

How it could be exploited

An attacker with standard user or service account access runs a specially crafted application that triggers a type confusion vulnerability in Win32k graphics code. The flawed memory handling allows the attacker to escalate privileges to SYSTEM level without requiring additional authentication or user interaction.

Prerequisites

Local access to a Windows system or server as a standard user or low-privilege service account
No additional privileges or special configuration required

locally exploitablelow complexity attackno authentication bypass requiredaffects Windows infrastructure across all recent versionsactively being exploited in the wild

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (23)

23 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict local logon privileges on critical systems to only necessary users and service accounts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply the 2026-May Windows security update to all affected systems

HOTFIXPrioritize patching Windows Server systems that support SCADA, HMI, or engineering workstations

Long-term hardening

0/1

HARDENINGMonitor for unusual privilege escalation events and Win32k-related crashes in system event logs

CVEs (1)

CVE-2026-35417

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b4cb3c36-30f2-458c-8795-ea14c15a5465

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.