HIGH 7.8

CVE-2026-45637: Windows DWM Local Privilege Escalation Vulnerability (CVSS 7.8)

A use-after-free vulnerability exists in the Windows Desktop Window Manager (DWM) Core Library that allows an authorized local user to escalate their privileges to a higher level of system access. The vulnerability requires the attacker to already have local logon capability and is not remotely exploitable. This type of flaw occurs when software continues to reference memory that has been freed, potentially allowing an attacker to manipulate that memory and gain elevated permissions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
19 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45637 is a use-after-free condition (CWE-416) in the Windows DWM Core Library. The vulnerability exists in memory management within the Desktop Window Manager component, which handles graphical rendering and window composition in Windows. An authenticated local attacker can trigger the freed memory reference through normal system interaction, potentially achieving arbitrary code execution with elevated privileges. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects local attack surface, low complexity exploitation, and the requirement for prior user privilege—but yields high impact across confidentiality, integrity, and availability.

Business impact

This vulnerability enables privilege escalation on affected Windows systems, allowing a user with standard or limited privileges to gain administrative or SYSTEM-level access. In environments where workstations or servers host sensitive data or control critical processes, successful exploitation could lead to data exfiltration, unauthorized system modification, lateral movement to other systems, or denial of service. Organizations relying on privilege separation as a security control should prioritize remediation, particularly for high-value endpoints.

Affected systems

Affected platforms include Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2019, 2022, and 2025. The breadth of affected versions spans both consumer and enterprise editions, from older Windows 10 builds through the latest Windows 11 branches and current server releases. Any organization running these versions without the security update is potentially exposed.

Exploitability

The vulnerability requires an attacker to already possess local logon access to the target system, eliminating remote exploitation as a concern. However, the low attack complexity and absence of user interaction requirements (UI:N) mean that once an authorized user gains access—whether through compromise of standard credentials, physical access, or insider threat—exploitation can occur through normal system operations without triggering obvious warnings. It is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been documented at the time of publication.

Remediation

Apply the latest Windows security update released by Microsoft that addresses this vulnerability. Verify the specific patch version number and build through Microsoft's official security advisory. Given the wide scope of affected versions, most organizations will receive updates through standard Windows Update channels; however, server administrators should verify and test patches in lab environments before broad deployment to ensure no compatibility regressions with workloads or third-party applications.

Patch guidance

Monitor Microsoft Security Updates for the June 2026 patch cycle and later releases addressing CVE-2026-45637. Given the publication date of 2026-06-09 and modification of 2026-06-17, security updates should have been or shortly will be released. Confirm patch availability and applicability to your specific Windows versions through the Microsoft Update Catalog or your endpoint management platform. Prioritize patching across user-facing workstations and servers before patching less-critical infrastructure. Test patches in a controlled environment first, especially for Windows Server systems running production workloads.

Detection guidance

Monitor for suspicious use-after-free crashes or memory access violations originating from DWM.exe or processes interacting with the Desktop Window Manager. Endpoint Detection and Response (EDR) tools should flag privilege escalation events where a standard user process spawns a child process with elevated privileges without corresponding elevation prompts or explicit administrator approval. Log authentication events to identify lateral movement following successful local privilege escalation. Anomalous system API calls or exception handling within DWM or dependent graphics processes may indicate exploitation attempts, though such telemetry varies by endpoint instrumentation.

Why prioritize this

A CVSS 7.8 HIGH severity score combined with broad platform coverage (spanning Windows 10, 11, and Server 2019–2025) makes this a critical remediation priority. While the requirement for prior local access limits blast radius compared to remote vulnerabilities, privilege escalation flaws directly undermine trust boundaries in multi-user and containerized environments. The absence of public exploitation at publication does not diminish urgency; use-after-free vulnerabilities in core system libraries are attractive targets once patches are available. Organizations should treat this as a P1 or P2 remediation item based on their risk tolerance and whether affected systems handle sensitive workloads.

Risk score, explained

The CVSS 7.8 score reflects a locally exploitable vulnerability with high impact on confidentiality, integrity, and availability, offset by the authentication prerequisite. The vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates that an authorized attacker can reliably trigger the flaw with low complexity, achieve unrestricted impact on the compromised system, and require no user interaction. The lack of scope change (S:U) means impact is limited to the local system, not propagated across a network; however, post-exploitation movement is straightforward for an elevated attacker. Not yet in the KEV catalog, but the clear privilege escalation path and system library involvement elevate real-world risk.

Frequently asked questions

Does this vulnerability allow remote attackers to gain control of my system?

No. This vulnerability requires an attacker to already have local logon access to the system. It cannot be exploited over the network or by anonymous users. However, once a threat actor gains access via phishing, credential theft, or other initial compromise methods, this flaw enables them to elevate from standard user to administrative privileges.

Which Windows versions should I prioritize for patching?

All listed versions are at risk: Windows 10 (1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server 2019, 2022, and 2025. Prioritize user workstations in high-risk roles (executives, finance, R&D) and servers hosting critical services, then remediate remaining systems according to your change management and testing procedures.

Is there a workaround if I cannot patch immediately?

There is no known technical workaround. Your mitigation strategy should focus on restricting local logon access through strong authentication (multi-factor authentication), disabling unnecessary local user accounts, and monitoring for suspicious privilege escalation attempts. Apply the patch as soon as your testing cycle allows.

Will this vulnerability affect my Windows 7 or older server systems?

This advisory does not list Windows 7 or earlier versions as affected. However, verify with Microsoft's official security bulletin to confirm end-of-support systems are not impacted, and prioritize upgrading legacy systems as part of your broader patch and lifecycle strategy.

This analysis is based on publicly available information current as of the vulnerability publication date. CVSS scores, affected product lists, and KEV status reflect the source data provided and may be subject to updates or corrections by Microsoft or NIST. Organizations should verify patch availability and compatibility against Microsoft's official security advisories before deployment. No exploit code or weaponized proof-of-concept is provided. This document is intended for cybersecurity professionals and should not be construed as professional security advice for your specific environment; consult your security team and vendor documentation for remediation decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).