CVE-2026-44813: Windows DWM Core Library Elevation of Privilege Vulnerability
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 10.0.28000.2269
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free in the Windows DWM Core Library allows a locally authenticated attacker to elevate privileges to SYSTEM or equivalent. The vulnerability is reached from a local session with a low-privilege account and requires no network exposure or victim interaction. Successful exploitation gives the attacker full read, write, and availability control over the affected host. A patched-image rebuild at version 10.0.28000.2269 is available on HarborGuard for environments running an affected image.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Windows-based images. Any image packaging a Windows 11 26H1 component below 10.0.28000.2269 will surface as affected.
AvailableHarborGuard scores this CVE at CVSS 7.8 HIGH and weights it against each environment's compliance policy to determine breach-of-threshold alerting and routing priority. Triage findings are delivered to the inbox or ticketing integration configured for the relevant team within each customer organization.
AvailableA patched-image rebuild at 10.0.28000.2269 becomes available through HarborGuard once the upstream fix is confirmed in the ingested advisory. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to begin the attack.
- Victim interactionNot required
The attacker can execute the exploit entirely on their own without requiring any action from another user.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites are needed.
Blast Radius
- Reads protected process memory, credential material, and sensitive user data stored on the host.
- Modifies system files, registry keys, or security configuration by writing with elevated privileges.
- Can terminate, suspend, or degrade services running on the affected host, disrupting availability.
- Full privilege escalation to SYSTEM-level access enables lateral movement or persistence within the host environment.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-44813 is active and matches any image containing a Windows 11 26H1 DWM component below version 10.0.28000.2269. Where compliance policy permits, HarborGuard can initiate a patched rebuild at the fixed version, execute a regression-test run, and open a pull request against affected workloads. For customers who have auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Customers who have not enabled auto-remediation will see the affected images flagged in their dashboard with the fix version cited, and can trigger a rebuild manually. Because this is a local privilege-escalation issue in a host-level library, additional compensating controls worth considering include restricting interactive local logons in container base images, enforcing least-privilege process execution, and auditing workloads that bundle Windows system libraries directly.
Fix available
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C