How is CVE-2026-44807 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials to trigger the vulnerability. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the use-after-free entirely from their own process without involving another user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-44807?

Reads protected process memory, credentials, and other sensitive data belonging to higher-privileged processes. Writes to or modifies system state, files, and registry entries that a standard user account would normally be blocked from changing. Crashes or disrupts system services and processes, including the DWM compositor itself, causing desktop instability or denial of service. Provides a foothold for full system compromise by chaining this privilege escalation with other exploits or lateral-movement techniques.

Back to search

HIGHCVE-2026-44807Published 2026-06-09Modified 2026-06-16CNA microsoft

CVE-2026-44807: Windows DWM Core Library Elevation of Privilege Vulnerability

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 10.0.28000.2269
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in Windows DWM Core Library (the compositor responsible for rendering the Windows desktop) allows a local attacker with a standard user account to escalate privileges on affected Windows 11 26H1 systems. The vulnerability is reachable locally and requires no network exposure; any low-privilege process or shell on the host is sufficient to trigger it. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. A patched-image rebuild at version 10.0.28000.2269 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Windows base layers or Windows-derived components. Any image carrying a DWM Core Library version below 10.0.28000.2269 on the Windows 11 26H1 branch is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.8 (HIGH) and weighs it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox inside each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Windows 11 26H1 version 10.0.28000.2269 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials to trigger the vulnerability.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the use-after-free entirely from their own process without involving another user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Reads protected process memory, credentials, and other sensitive data belonging to higher-privileged processes.
Writes to or modifies system state, files, and registry entries that a standard user account would normally be blocked from changing.
Crashes or disrupts system services and processes, including the DWM compositor itself, causing desktop instability or denial of service.
Provides a foothold for full system compromise by chaining this privilege escalation with other exploits or lateral-movement techniques.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44807 runs against every customer registry and build pipeline, matching images that include Windows 11 26H1 base layers below version 10.0.28000.2269. Where compliance policy permits, a rebuilt image at the fixed version is made available immediately upon detection. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage patching manually can use the triage report to prioritize: because attack complexity is low and no network exposure is required, any container or VM image that ships a vulnerable Windows 11 26H1 layer and runs with local user access should be treated as an urgent rebuild target.

See how HarborGuard automates this

Fix available

10.0.28000.2269

Patch commits

Windows DWM Core Library Elevation of Privilege Vulnerability

Affected packages

Microsoft / Windows 11 version 26H1
< 10.0.28000.2269 (from 10.0.28000.0)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

References

Windows DWM Core Library Elevation of Privilege Vulnerability

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available