CVE-2026-42905: Windows DWM Core Library Elevation of Privilege Vulnerability
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Windows Desktop Window Manager (DWM) Core Library allows a locally authenticated attacker to elevate privileges on affected Windows 10 and Windows 11 systems. The flaw is reached through local code execution and requires only a low-privilege user account, with no network access or victim interaction needed. Successful exploitation gives the attacker full control over the affected host, including read, write, and crash capabilities over system resources. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images layered on affected Windows base versions. Any image whose embedded OS version falls within the affected ranges is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to determine urgency tier. Triage results are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableFor customers running affected Windows base images, a patched-image rebuild at the applicable fix version (for example, 10.0.14393.9234 for Windows 10 Version 1607, or 10.0.26100.8655 for Windows 11 Version 24H2) becomes available on HarborGuard once the upstream patched layer is published. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local user account is sufficient; no administrative rights are needed to trigger the vulnerability.
- Victim interactionNot required
The attacker does not need to involve or trick any other user; exploitation is entirely self-contained.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or specific memory layout requirements to satisfy.
Blast Radius
- A successful attacker reads sensitive data from memory and the file system, including credentials, tokens, and protected configuration files.
- A successful attacker writes to or modifies privileged system resources, files, and registry keys that are normally protected from low-privilege users.
- A successful attacker can crash or destabilize the affected service or system, causing a denial of service for all users on that host.
- Full SYSTEM-level code execution on the compromised host becomes possible, allowing installation of malware, creation of new privileged accounts, or lateral movement to adjacent systems.
How HarborGuard Handles This
Available on HarborGuard: detection against this CVE is active for every customer environment scanning Windows-based container images, with matches surfaced within minutes of the advisory publication. Where compliance policy permits, patched-image rebuilds targeting the corrected OS versions are available as soon as upstream patched layers are accessible. For customers who opt into auto-remediation, HarborGuard can complete a rebuild, run a regression test suite, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Because this is a local privilege escalation rather than a remotely exploitable flaw, teams that cannot immediately patch should consider restricting which container images are permitted to run on shared hosts and enforcing least-privilege policies at the orchestration layer as a compensating control while rollout proceeds.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C