CVE-2026-44802: Windows DWM Core Library Elevation of Privilege Vulnerability
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 10.0.17763.8880
- Affected Products
- 13
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Windows DWM (Desktop Window Manager) Core Library, a component present across multiple versions of Windows 10 and Windows 11. Exploitation requires only a low-privilege local account and no interaction from any other user, derived from the CVSS vector (AV:L/PR:L/UI:N). Successful exploitation gives the attacker full elevation of privileges on the affected host, including read, write, and availability control over the system. Patched-image rebuilds at the fix versions listed above are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection for CVE-2026-44802 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (NVD, Microsoft MSRC, and supplementary advisories) within minutes of publication and matched against all customer images, including custom-built images that layer on affected Windows base versions. Any image whose OS layer falls within the affected version ranges is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableHarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy, for example applying stricter SLAs for workloads with elevated sensitivity classifications. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild targeting the applicable fix versions (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and 10.0.22631.7219, among others) is available on HarborGuard for any environment whose scanned images are based on an affected Windows version. For customers who opt into auto-remediation, HarborGuard can perform a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing service needs to be exposed.
- AuthenticationRequired
A low-privilege local account is sufficient; no administrative rights are required prior to exploitation.
- Victim interactionNot required
No action from another user is needed; the attacker can trigger the vulnerability entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or unusual environmental prerequisites required.
Blast Radius
- The attacker gains full read access to memory and on-disk data belonging to higher-privileged processes, including credential stores accessible to SYSTEM.
- The attacker gains write access to privileged process memory and system resources, enabling persistent changes to the host configuration or installed software.
- The attacker can disrupt or terminate privileged system services, causing denial of service at the OS level.
- Privilege escalation to SYSTEM or equivalent gives the attacker effective full control over the compromised host and any workloads running on it.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-44802 is active for all scanned images built on affected Windows 10 and Windows 11 base layers, with no additional configuration required. For environments where a patched base image is available at the fix versions listed in the advisory, a rebuilt image is made available automatically. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where auto-remediation is not enabled, the finding appears in the HarborGuard dashboard with fix-version guidance so engineering teams can act manually. Because this is a local privilege-escalation vulnerability rather than a remotely reachable service flaw, compensating controls to consider in the interim include restricting which users hold interactive or service-account sessions on affected hosts, enforcing process isolation policies, and auditing container-to-host privilege boundaries in affected deployments.
Fix available
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C