HIGH 7.8

CVE-2026-44802: Windows DWM Use-After-Free Privilege Escalation (CVSS 7.8)

A memory safety flaw in the Windows Desktop Window Manager (DWM) Core Library allows a logged-in user to crash the system or potentially run code with elevated privileges. The vulnerability stems from use-after-free code—a situation where freed memory is accessed again—affecting multiple versions of Windows 10, Windows 11, and Windows Server. An attacker must already have a user account on the machine to exploit it, making this a local privilege escalation risk rather than a remote attack vector.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
19 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-44802 is a use-after-free vulnerability (CWE-416) in the Windows DWM Core Library. The flaw allows an authenticated local user to trigger memory corruption by accessing memory that has already been freed, leading to arbitrary code execution in the context of the DWM process. With a CVSS 3.1 score of 7.8 (High), the vulnerability requires local access and valid user credentials but no user interaction. The attack surface is the DWM process itself, which runs with elevated privileges in the Windows session.

Business impact

Privilege escalation via this vulnerability allows an insider or compromised low-privilege user account to gain administrative control of a Windows workstation or server. In multi-tenant or shared-system environments, this significantly increases lateral movement risk and potential for unauthorized access to sensitive data. For organizations running Windows Server 2019, 2022, or 2025, exploitation could compromise critical infrastructure or business systems. The local-only requirement limits blast radius but elevates risk for organizations where user accounts are provisioned broadly or contractor access is common.

Affected systems

The vulnerability affects Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server 2019, 2022, and 2025. Organizations running end-of-support Windows 10 versions should prioritize migration planning. Windows 11 and recent Windows Server releases represent the bulk of affected enterprise deployments and require immediate patch assessment.

Exploitability

Exploitation requires valid local user credentials and no user interaction, but the attacker must be able to execute code on the target machine. Public exploitation tools are not yet available (CVE-2026-44802 is not on the CISA Known Exploited Vulnerabilities list as of publication), reducing immediate risk. However, the straightforward nature of use-after-free exploitation and the proximity of DWM to the kernel mean weaponization is feasible once detailed exploitation techniques surface. Organizations should assume active development of reliable exploits within weeks.

Remediation

Apply the latest Windows security updates from Microsoft released in June 2026 or later. Verify patch status across your Windows 10, 11, and Server inventory. For systems unable to patch immediately, mitigate by restricting local user access to trusted administrators only and disabling unnecessary local accounts. Consider application-level controls (AppLocker, Windows Sandbox, or credential guard) to reduce privilege escalation impact if patching is delayed.

Patch guidance

Check Windows Update for the June 2026 security release or later. Verify the update has been applied by running 'winver' or reviewing Security Update history in Settings. Microsoft will list specific KB article numbers in their official advisory—verify against the vendor's bulletin for your specific Windows version before confirming patching. Test patches in a non-production environment first to catch any compatibility regressions, particularly for Windows Server systems.

Detection guidance

Monitor for abnormal termination of the Desktop Window Manager (dwm.exe) process, as use-after-free exploitation often results in a crash. Look for suspicious process creation initiated by low-privilege users that result in elevated-privilege processes. Endpoint detection and response (EDR) solutions should alert on code execution originating from dwm.exe or attempts to elevate privileges via memory corruption exploits. Behavioral analytics that track process relationships and privilege transitions will surface exploitation attempts before damage occurs.

Why prioritize this

This vulnerability merits immediate patching due to its HIGH CVSS score, local privilege escalation capability, and broad OS coverage. The DWM Core Library is essential to Windows, and any memory corruption flaw there poses systemic risk. Although not yet actively exploited in the wild, the low barrier to local exploitation and the privilege level gained make this a top candidate for rapid weaponization. Organizations should prioritize Windows Server and Windows 11 systems in high-security environments (finance, healthcare, critical infrastructure) within 30 days.

Risk score, explained

The CVSS 3.1 score of 7.8 (High) reflects: (1) local attack vector with low complexity; (2) requirement for low privileges but no user interaction; (3) high impact across confidentiality, integrity, and availability. The score does not account for the lack of current public exploits, which provides a short window for patching. The severity is justified by the privilege elevation outcome and the ubiquity of the affected Windows versions.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-44802 requires local access and a valid user account on the target machine. It cannot be exploited over the network, but any successful lateral movement into a Windows system creates the precondition for local privilege escalation via this flaw.

What if my organization is still running Windows 10 version 1809?

Windows 10 version 1809 reached end of service in May 2021 and is no longer receiving security updates from Microsoft. If your organization has instances still in use, prioritize migration to a supported version (Windows 10 22H2 or Windows 11) or implement compensating controls such as restricting local user provisioning and enforcing credential guard.

Does this vulnerability affect domain-joined systems differently?

Domain-joined systems are affected the same way locally, but additional mitigations are available: Group Policy can restrict user logon rights, multi-factor authentication and conditional access policies can reduce the likelihood of compromised credentials being used to gain local access, and centralized patch deployment via WSUS or Intune can accelerate remediation.

Are Windows 11 systems more or less vulnerable than Windows 10?

Both are affected and require patching. Windows 11 includes some exploit mitigation improvements (such as Control Flow Guard enhancements) that may raise the bar slightly for exploitation, but the underlying flaw exists across all versions. Patching is the only reliable remediation.

This analysis is provided for informational purposes to support vulnerability management and security decision-making. The details reflect publicly available information and the vendor's published guidance as of the date of publication. Patch version numbers and KB articles should be verified directly against Microsoft's official security advisory before deployment. No liability is assumed for decisions taken based on this analysis. Organizations should conduct their own risk assessment and testing within their environment before implementing any patches or mitigations. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).