HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42983Published Modified CNA microsoft

CVE-2026-42983: Windows DWM Core Library Elevation of Privilege Vulnerability

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.17763.8880
Affected Products
13

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Windows DWM (Desktop Window Manager) Core Library allows a locally authenticated attacker to elevate privileges on affected Windows 10 and Windows 11 systems. The flaw is reachable without any network exposure and requires only a low-privilege local account, meaning an attacker who has already gained a foothold on the system can exploit it without elevated rights. Successful exploitation grants full control over the affected system, including read, write, and execution capabilities at a higher privilege level. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection of CVE-2026-42983 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that layer on affected Windows base versions. Coverage extends to all registered container registries and CI/CD pipeline stages, so any image carrying a vulnerable DWM Core Library build can be flagged before it reaches production.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 (HIGH) and weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage results are routable to the appropriate team inbox within each customer organization based on configured ownership rules for Windows-based workloads.

Available
Patch

A patched-image rebuild at the applicable fix versions (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, or 10.0.22631.7219, depending on the base image in use) becomes available on HarborGuard for any environment running an affected Windows image version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing service needs to be exposed.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrator or system-level credentials to trigger the vulnerability.

  • Victim interactionNot required

    No user interaction is required; the attacker can trigger the use-after-free condition entirely from their own session.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker elevates their process privileges to SYSTEM or equivalent, gaining full administrative control of the host.
  • Reads any file, credential, or secret accessible to higher-privileged processes, including tokens stored by other running services.
  • Modifies or overwrites system files, registry keys, and persisted application data on the host.
  • Crashes or terminates arbitrary processes, including security tooling and monitoring agents running on the same machine.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42983 is active across all customer environments as soon as the CVE was ingested, covering any container image built on an affected Windows 10 or Windows 11 base. For environments running a vulnerable base image version, a patched rebuild at the appropriate fix version is available. Customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the triage ticket is routed to the designated team inbox with the CVSS 7.8 score and policy weighting already applied, so reviewers have the context they need to act quickly.

See how HarborGuard automates this

Fix available

10.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References