CVE-2026-44808: Windows DWM Core Library Elevation of Privilege Vulnerability
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 10.0.28000.2269
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free vulnerability in the Windows DWM Core Library (Desktop Window Manager) allows a local attacker to elevate privileges on affected Windows 11 systems. The attacker must already have a low-privilege local account and shell access; no network exposure is required. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the system. A patched-image rebuild at version 10.0.28000.2269 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Windows-based container images, to identify any running an affected version of the DWM Core Library.
AvailableHarborGuard scores this CVE at CVSS 7.8 (HIGH) and surfaces it through each customer org's compliance policy weighting to route alerts to the appropriate team inbox. Per-environment policy configuration determines prioritization and escalation paths without requiring manual triage setup.
AvailableA patched-image rebuild at Windows 11 version 10.0.28000.2269 becomes available through HarborGuard once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or elevated credentials to begin exploitation.
- Victim interactionNot required
No action from another user or victim is needed; the attacker can trigger the vulnerability entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layouts, or environmental setup beyond having a local account.
Blast Radius
- Reads sensitive data stored on the system, including credentials, tokens, and user files.
- Modifies or deletes persisted files, registry entries, and system configuration.
- Crashes or disrupts affected system services and processes.
- Gains full administrative control over the compromised host, enabling lateral movement or persistence.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-44808 is active across all connected registries and build pipelines, matching images against the affected version range (10.0.28000.0 to below 10.0.28000.2269) within minutes of image ingestion. Where compliance policy permits, a rebuilt image at the patched version 10.0.28000.2269 is made available automatically. For customers who opt into auto-remediation, HarborGuard performs a full image rebuild at the fix version, executes a regression test run, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the rebuild is staged and waiting for manual approval in the HarborGuard dashboard. Given that exploitation requires only a low-privilege local account, prioritizing this fix in any Windows 11 container workload running the affected version is strongly warranted.
Fix available
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C