CVE-2026-23667 Overview
CVE-2026-23667 is a use-after-free vulnerability in the Windows Broadcast DVR component that allows an authorized attacker to elevate privileges locally. This memory corruption flaw exists across multiple versions of Windows 10 and Windows 11 operating systems, affecting both x64 and ARM64 architectures.
The vulnerability requires local access and an authorized user account to exploit, but successful exploitation grants the attacker elevated privileges on the target system. Use-after-free vulnerabilities occur when a program continues to use a pointer after the memory it references has been freed, potentially allowing attackers to execute arbitrary code or escalate privileges.
Critical Impact
An authorized local attacker can exploit this use-after-free vulnerability in Windows Broadcast DVR to escalate privileges, potentially gaining SYSTEM-level access on affected Windows 10 and Windows 11 systems.
Affected Products
- Microsoft Windows 10 1809 (x64, x86)
- Microsoft Windows 10 21H2 (x64, x86, ARM64)
- Microsoft Windows 10 22H2 (x64, x86, ARM64)
- Microsoft Windows 11 23H2 (x64, ARM64)
- Microsoft Windows 11 24H2 (x64, ARM64)
- Microsoft Windows 11 25H2 (x64, ARM64)
- Microsoft Windows 11 26H1 (x64, ARM64)
Discovery Timeline
- 2026-03-10 - CVE-2026-23667 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-23667
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption vulnerability that occurs when a program continues to reference memory after it has been freed. In the context of the Windows Broadcast DVR component, this flaw can be triggered by an authorized user with local access to the system.
The Broadcast DVR component is part of Windows Game Bar functionality, handling video recording and streaming features. The use-after-free condition arises when the component improperly manages memory objects during specific operations, leaving a dangling pointer that can be exploited.
Successful exploitation requires the attacker to have valid credentials on the target system and local access. While the attack complexity is considered high due to specific conditions that must be met, the impact is significant—allowing complete compromise of confidentiality, integrity, and availability on the affected system.
Root Cause
The root cause of CVE-2026-23667 is improper memory management within the Broadcast DVR component. Specifically, the vulnerability occurs when memory is freed but the associated pointer is not properly nullified or the freed memory block is subsequently accessed. This creates a window of opportunity where an attacker can manipulate the freed memory region.
When the vulnerable code path attempts to use the stale pointer, the attacker can potentially control the data at that memory location, leading to arbitrary code execution with elevated privileges. The memory safety violation allows bypassing normal security boundaries enforced by the Windows operating system.
Attack Vector
The attack vector for CVE-2026-23667 is local, requiring an attacker to have authenticated access to the target system. The exploitation scenario involves:
- An attacker with standard user credentials gains local access to a Windows system running an affected version
- The attacker triggers the vulnerable code path in the Broadcast DVR component
- Through careful manipulation of memory allocation patterns, the attacker controls the contents of the freed memory region
- When the dangling pointer is dereferenced, the attacker's controlled data is used, enabling privilege escalation
- The attacker achieves elevated privileges, potentially reaching SYSTEM-level access
The high attack complexity indicates that specific race conditions or memory layout requirements must be satisfied for successful exploitation. However, this should not diminish the urgency of applying patches, as sophisticated attackers may develop reliable exploitation techniques.
Detection Methods for CVE-2026-23667
Indicators of Compromise
- Unusual process behavior from GameBar.exe or related Broadcast DVR processes attempting to spawn child processes with elevated privileges
- Abnormal memory allocation patterns or heap corruption events associated with Windows Game Bar components
- Privilege escalation events where standard user processes gain SYSTEM-level access without legitimate authorization
Detection Strategies
- Monitor for suspicious process creation events where GameBar.exe, GameBarPresenceWriter.exe, or related DVR components spawn unexpected child processes
- Implement endpoint detection rules to identify use-after-free exploitation patterns, including heap spray techniques and memory corruption indicators
- Enable Windows Event Log monitoring for Security Event ID 4688 (Process Creation) to track privilege escalation attempts following DVR component activity
Monitoring Recommendations
- Deploy behavioral analysis solutions to detect anomalous privilege escalation attempts on endpoints running affected Windows versions
- Configure SentinelOne Singularity to monitor for memory corruption exploitation techniques targeting Windows system components
- Review system integrity by auditing processes running with elevated privileges that were spawned by user-level applications
How to Mitigate CVE-2026-23667
Immediate Actions Required
- Apply the Microsoft security update for CVE-2026-23667 immediately on all affected Windows 10 and Windows 11 systems
- Prioritize patching for systems in environments where users have local access and authentication credentials
- Verify patch deployment across the enterprise using vulnerability scanning and compliance tools
Patch Information
Microsoft has released security updates to address CVE-2026-23667. Detailed patch information and download links are available in the Microsoft Security Update Guide for CVE-2026-23667. Organizations should deploy these updates through Windows Update, WSUS, or Microsoft Endpoint Configuration Manager according to their standard patch management processes.
The security update addresses the improper memory handling in the Broadcast DVR component by ensuring proper pointer management and preventing use-after-free conditions.
Workarounds
- If immediate patching is not possible, consider disabling the Game Bar feature through Group Policy (Computer Configuration > Administrative Templates > Windows Components > Game Recording and Broadcasting)
- Restrict local access and enforce the principle of least privilege to limit the number of authorized users who could potentially exploit this vulnerability
- Implement application control policies to monitor and restrict execution of Game Bar components where DVR functionality is not required
# PowerShell command to disable Game Bar via Registry (temporary workaround)
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" -Name "AppCaptureEnabled" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -Value 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
