CVE-2026-42905 Overview
CVE-2026-42905 is a use-after-free vulnerability [CWE-416] in the Windows Desktop Window Manager (DWM) Core Library. An authorized local attacker can exploit the flaw to elevate privileges on affected Windows client and server systems. Microsoft published the advisory on June 9, 2026, and the issue affects a broad range of supported Windows releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Windows Server 2025.
Critical Impact
Successful exploitation grants SYSTEM-level privileges from a low-privileged local account, enabling full compromise of confidentiality, integrity, and availability on the host.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) on x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) on x64 and ARM64
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Discovery Timeline
- 2026-06-09 - CVE-2026-42905 published to NVD
- 2026-06-09 - Microsoft releases security update via MSRC advisory
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-42905
Vulnerability Analysis
The Desktop Window Manager (DWM) Core Library handles compositing, rendering, and window management for the Windows graphical subsystem. DWM runs with elevated privileges and processes objects on behalf of user-mode sessions, making any memory safety defect in this component an attractive target for local privilege escalation.
This vulnerability is classified as a use-after-free [CWE-416]. The flaw occurs when the DWM Core Library continues to reference a heap object after that object has been freed. An attacker with valid local credentials can manipulate object lifetimes to trigger reuse of the freed allocation, then control the contents of the reclaimed memory to redirect execution within the privileged DWM context.
Root Cause
The root cause is improper object lifetime management inside the DWM Core Library. A code path releases a heap-allocated object while another path retains a dangling pointer to the same allocation. When the dangling pointer is later dereferenced, the attacker-controlled replacement object is treated as valid, leading to type confusion or controlled function pointer dispatch.
Attack Vector
Exploitation requires local access and a valid low-privileged account on the target. No user interaction is needed. The attacker triggers the vulnerable DWM code path from their session, races the free with a controlled allocation, and uses the resulting primitive to execute code or write memory under the DWM privilege level. Successful exploitation typically yields SYSTEM privileges.
No public proof-of-concept or in-the-wild exploitation has been reported. The EPSS probability is 0.08% (23.7th percentile) as of June 11, 2026.
Detection Methods for CVE-2026-42905
Indicators of Compromise
- Unexpected crashes or restarts of dwm.exe recorded in Windows Application or System event logs, particularly Event ID 1000 referencing the DWM Core Library module.
- Creation of new processes spawned as a child of dwm.exe or winlogon.exe that execute command shells, scripting hosts, or LOLBins.
- Sudden token elevation events where a previously low-privileged user context transitions to SYSTEM without a corresponding service or scheduled task launch.
Detection Strategies
- Monitor for anomalous memory access faults in dwmcore.dll and correlate with the originating user session to identify potential exploitation attempts.
- Hunt for local privilege escalation patterns where a non-admin process is followed by activity executed in the SYSTEM context within the same session.
- Apply behavioral analytics to identify exploitation primitives such as heap spraying, repeated DWM API invocations, and rapid object allocation/free cycles from user-mode processes.
Monitoring Recommendations
- Enable Windows Defender Application Control and Attack Surface Reduction rules that restrict the execution of unsigned binaries by standard users.
- Forward Sysmon Event IDs 1 (process creation), 10 (process access), and 11 (file create) involving dwm.exe to a centralized SIEM for correlation.
- Track privileged token usage and parent-child process relationships across endpoints to surface escalation chains originating from interactive sessions.
How to Mitigate CVE-2026-42905
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update CVE-2026-42905 advisory across all affected Windows client and server builds.
- Prioritize patching multi-user systems, terminal servers, and shared workstations where low-privileged accounts have interactive access.
- Audit local account inventories and remove unused or stale accounts that could be leveraged for local exploitation.
Patch Information
Microsoft has released cumulative updates addressing CVE-2026-42905 for all supported Windows 10, Windows 11, and Windows Server versions listed in the advisory. Refer to the Microsoft Security Update CVE-2026-42905 page for KB article numbers, download links, and known-issue notes per affected build.
Workarounds
- Microsoft has not documented an official workaround. Patching is the only supported remediation.
- Restrict interactive logon rights on sensitive systems to administrators only, reducing the population of accounts capable of triggering the local attack.
- Enforce least-privilege policies and application allow-listing to limit the ability of low-privileged users to deliver exploit code to vulnerable hosts.
# Verify installation of the latest cumulative update on a Windows host
wmic qfe list brief /format:table
# Trigger Windows Update scan and install via PowerShell
USoClient.exe StartScan
USoClient.exe StartInstall
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
