CVE-2026-44804: Windows DWM Core Library Elevation of Privilege Vulnerability
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 10.0.28000.2269
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free in the Windows DWM Core Library allows a local attacker with a low-privilege account to escalate their privileges on the affected host. The vulnerability is reached locally (no network exposure required) and requires only a standard user account to trigger. Successful exploitation gives the attacker full control over the affected system, including reading sensitive data, modifying files, and crashing or controlling running processes. A patched-image rebuild at version 10.0.28000.2269 is available on HarborGuard for environments running an affected version of Windows 11 26H1.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected Windows 11 26H1 base layers. Any image carrying a DWM Core Library version below 10.0.28000.2269 is flagged automatically.
AvailableHarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 vector and weights it against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticketing integration configured for each customer org, so the right team sees the alert without manual filtering.
AvailableA patched-image rebuild at Windows 11 26H1 version 10.0.28000.2269 becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to trigger the vulnerability; no administrative rights are needed.
- Victim interactionNot required
The attacker can exploit this without any action from another user on the system.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors need to be arranged.
Blast Radius
- A successful attacker reads confidential files and stored credentials accessible on the host, including data belonging to higher-privileged processes.
- The attacker modifies system files, registry keys, and application data across the host, not just within their original privilege boundary.
- The attacker gains the ability to terminate, inject into, or fully control other running processes on the system.
- The affected service and dependent processes can be crashed or made unavailable by the attacker at will.
How HarborGuard Handles This
Available on HarborGuard: detection against the affected DWM Core Library version range fires within minutes of CVE ingestion for any customer image containing a Windows 11 26H1 layer below 10.0.28000.2269. Where compliance policy permits, a patched-image rebuild at 10.0.28000.2269 is queued automatically. For customers with auto-remediation enabled, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually will find the patched rebuild staged and ready in their HarborGuard registry view alongside the triage report.
Fix available
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C