PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32152 Microsoft CVE debrief

A use-after-free vulnerability in the Desktop Window Manager (DWM) on Windows allows an authorized local attacker to elevate privileges. The flaw was published on 14 April 2026 and last modified on 1 June 2026. Microsoft has issued a security update addressing this vulnerability across multiple Windows 11 versions (23H2, 24H2, 25H2, 26H1) for both x64 and ARM64 architectures, as well as Windows Server 2022, Server 2022 23H2, and Server 2025. The vulnerability is classified as CWE-416 (Use After Free) and carries a CVSS 3.1 score of 7.8 (HIGH), with a local attack vector requiring low attack complexity and low privileges, but no user interaction. Successful exploitation could result in complete compromise of confidentiality, integrity, and availability on the affected system. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Microsoft
Product
Windows 11 version 22H3
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-14
Original CVE updated
2026-06-01
Advisory published
2026-04-14
Advisory updated
2026-06-01

Who should care

Organizations running affected Windows 11 and Windows Server versions should prioritize patching, particularly endpoints and servers where standard users have interactive access. Security operations teams should monitor for exploitation indicators, and system administrators should ensure automated update deployment covers the specific build thresholds identified in Microsoft's advisory.

Technical summary

The vulnerability exists in the Desktop Window Manager (DWM), the compositing window manager in Windows that renders visual effects and desktop presentation. A use-after-free condition occurs when memory is freed but a pointer to that memory is subsequently dereferenced, potentially allowing an attacker to corrupt memory and execute arbitrary code in a privileged context. Because DWM runs with elevated privileges, successful exploitation enables a local attacker with basic user access to escalate to SYSTEM or equivalent privileges. The attack requires no user interaction and has low complexity, making it attractive for post-compromise privilege escalation in multi-stage attacks. Microsoft has released cumulative updates addressing the underlying memory management flaw.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the relevant Microsoft security update for your Windows version as listed in the vendor advisory. For Windows 11 23H2, update to build 10.0.22631.6936 or later. For Windows 11 24H2, update to build 10.0.26100.8246.
  • For Windows 11 25H2, update to build 10.0.26200.8246 or later. For Windows 11 26H1, update to build 10.0.28000.1836 or later.
  • For Windows Server 2022, update to build 10.0.20348.5020 or later. For Server 2022 23H2, update to build 10.0.25398.2274 or later.
  • For Windows Server 2025, update to build 10.0.26100.32690 or later.
  • Prioritize patching on systems where multiple users have interactive logon access or where least-privilege principles are not fully enforced, given the low privilege requirements for exploitation.
  • Monitor for anomalous privilege escalation attempts and ensure DWM-related crash events are logged and reviewed.

Evidence notes

The vulnerability is confirmed as CWE-416 (Use After Free) per Microsoft MSRC advisory. CPE data indicates affected Windows 11 builds prior to 10.0.22631.6936 (23H2), 10.0.26100.8246 (24H2), 10.0.26200.8246 (25H2), 10.0.28000.1836 (26H1), Windows Server 2022 prior to 10.0.20348.5020, Server 2022 23H2 prior to 10.0.25398.2274, and Server 2025 prior to 10.0.26100.32690. The CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms local privilege escalation with high impact across all three security objectives.

Official resources

Microsoft disclosed this vulnerability through its Security Response Center. The CVE record was published on 14 April 2026 and underwent modification on 1 June 2026, likely reflecting updated product coverage or analysis status changes from