CVE-2026-44811: Windows DWM Core Library Elevation of Privilege Vulnerability
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 10.0.28000.2269
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Windows DWM Core Library (Desktop Window Manager) allows a local attacker to escalate privileges on the affected system. The attacker must already hold a low-privilege local account and does not need to reach the system over a network; no user interaction is required. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability on the host. A patched-image rebuild at version 10.0.28000.2269 is available on HarborGuard for environments running an affected version of Windows 11 26H1.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Windows 11 26H1 base layers. Any image whose OS version falls below 10.0.28000.2269 is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.8 HIGH and is capable of weighting that score against each customer's per-environment compliance policy to determine urgency. Triage findings are routed to the appropriate inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild pinned to fix version 10.0.28000.2269 becomes available on HarborGuard for every environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or elevated credentials to attempt exploitation.
- Victim interactionNot required
No user action such as clicking a link or opening a file is needed; the attacker can trigger the vulnerability directly.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental prerequisites.
Blast Radius
- A successful attacker reads protected files, credentials, and in-memory secrets belonging to other processes or users on the host.
- A successful attacker modifies or overwrites files, registry entries, and process memory outside the bounds of their original low-privilege account.
- A successful attacker crashes or destabilizes the Desktop Window Manager and dependent system services, disrupting the host session.
- Combined high-impact ratings across confidentiality, integrity, and availability mean the attacker effectively achieves full local system compromise.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE ingestion for any image running Windows 11 26H1 below version 10.0.28000.2269, including images built on custom internal base layers. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression test, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy does not permit auto-remediation, the flagged finding is routed to the designated team inbox with CVSS scoring and fix-version details attached, so engineers can act on the specific image layers that need updating.
Fix available
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C