HIGH 7.8

CVE-2026-44804: Windows DWM Use-After-Free Privilege Escalation (7.8 HIGH)

A use-after-free flaw in Windows Desktop Window Manager (DWM) Core Library permits an authorized local user to escalate their privileges to a higher level of system access. The vulnerability requires legitimate account credentials and local system access but does not require user interaction. An attacker with such access could exploit this flaw to gain elevated permissions and control critical system functions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-44804 is a use-after-free vulnerability (CWE-416) in the Windows DWM Core Library. The flaw allows a locally authenticated attacker to cause memory corruption by accessing memory that has been freed, leading to local privilege escalation. The attack vector is local (AV:L), requires low attack complexity (AC:L), and demands low privileges (PR:L) with no user interaction (UI:N). The impact is high across confidentiality, integrity, and availability (C:H/I:H/A:H), confined to the local system (S:U).

Business impact

Compromise of Windows 11 systems via this vulnerability could allow insider threats or compromised local accounts to gain administrative or SYSTEM-level privileges. This enables attackers to install persistent malware, steal sensitive data, modify system configurations, disable security controls, or launch further attacks across the network. Organizations relying on Windows 11 26H1 deployments face elevated risk to their security posture and operational integrity.

Affected systems

Microsoft Windows 11 version 26H1 is confirmed affected. Organizations running this build should verify their deployment scope and prioritize patching accordingly.

Exploitability

Exploitation requires local access with valid user credentials—an insider threat scenario or compromised standard user account. The low attack complexity and absence of user interaction requirements make this practical for attackers with initial system foothold. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the high CVSS score (7.8) and privilege escalation nature warrant rapid remediation regardless of active exploitation reports.

Remediation

Apply the security patch issued for Windows 11 26H1 as soon as possible. Verify patch installation via Windows Update or your organizational patch management system. Consider interim mitigations including strict local account access controls, disabling unnecessary local accounts, and enhanced monitoring of privilege escalation attempts.

Patch guidance

Obtain the latest security update for Windows 11 version 26H1 through Windows Update, Windows Server Update Services (WSUS), or the Microsoft Security Update Guide. Test patches in a non-production environment before broad rollout. Verify successful installation by confirming the patched DWM Core Library version matches Microsoft's advisory guidance.

Detection guidance

Monitor for suspicious privilege escalation activities using Windows Event Viewer (Security log, event IDs 4672, 4688) and endpoint detection and response (EDR) tools. Track unexpected elevation of user privileges, unusual memory access patterns in DWM processes, or application crashes involving dwm.exe. Correlate with successful local logon events (event ID 4624, logon type 2 or 10) to identify potential exploitation attempts.

Why prioritize this

This vulnerability scores HIGH (7.8) due to high-impact privilege escalation on a widely deployed OS. Although it requires pre-existing local access, it eliminates a crucial security boundary. Windows 11 26H1 is current infrastructure; rapid patching prevents insider threats and compromised-account scenarios from becoming full system compromise. Absence from KEV does not diminish urgency given the privilege escalation severity.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects the combination of local attack vector, low complexity, low privilege requirement, and complete compromise of system confidentiality, integrity, and availability. The vulnerability is not widespread in active exploits (KEV status: false), but its fundamental nature—memory safety flaw enabling privilege escalation—and presence in current Windows versions warrant high organizational priority.

Frequently asked questions

Does this vulnerability require administrator privileges to exploit?

No. It requires a valid local user account with standard (low) privileges. An attacker with such credentials can trigger the use-after-free flaw to elevate to higher privileges without needing to already be an administrator.

Is there active exploitation of CVE-2026-44804 in the wild?

As of the vulnerability's publication, it is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation. However, organizations should treat this as a high priority due to its privilege escalation nature and potential attractiveness to threat actors.

What should we do if we cannot patch immediately?

Implement defense-in-depth controls: restrict local logon privileges and disable unused local accounts, monitor privilege escalation events via Event Viewer and EDR, enforce multi-factor authentication where applicable, and isolate critical Windows 11 26H1 systems from untrusted network segments. Apply patches as soon as testing permits.

Which Windows versions are affected?

Microsoft Windows 11 version 26H1 is confirmed affected by this vulnerability. Verify your environment's build number to determine exposure.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Patch version numbers and remediation steps should be verified against official Microsoft security advisories before implementation. SEC.co makes no warranties regarding exploit status or real-world impact and recommends consulting vendor guidance and your security team for deployment-specific risk assessment. Active threat landscape conditions may change; monitor CISA KEV and vendor advisories for updates. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).