PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32154 Microsoft CVE debrief

A use-after-free vulnerability in the Desktop Window Manager (DWM) on Windows allows an authorized attacker to elevate privileges locally. The flaw, rated HIGH severity (CVSS 7.8), was published on April 14, 2026, and last modified on June 1, 2026. Microsoft has addressed this issue through security updates for multiple Windows 11 versions (23H2, 24H2, 25H2, 26H1) and Windows Server editions (2022, 2022 23H2, 2025). The vulnerability is classified under CWE-416 (Use After Free) and requires local access with low privileges, but no user interaction, to achieve high impact on confidentiality, integrity, and availability.

Vendor
Microsoft
Product
Windows 10 Version 1607
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-14
Original CVE updated
2026-06-01
Advisory published
2026-04-14
Advisory updated
2026-06-01

Who should care

Organizations running affected Windows 11 and Windows Server versions should prioritize patching, particularly in environments where multiple users have interactive logon access or where endpoint privilege escalation could lead to broader network compromise. Security teams managing mixed-architecture deployments (x64 and ARM64) should ensure comprehensive patch coverage.

Technical summary

CVE-2026-32154 is a use-after-free vulnerability in the Desktop Window Manager (DWM) component of Windows. An attacker with local access and low privileges can exploit this memory safety flaw to escalate privileges without requiring user interaction. The vulnerability affects multiple Windows 11 client versions (23H2, 24H2, 25H2, 26H1) on both x64 and ARM64 architectures, as well as Windows Server 2022, Windows Server 2022 23H2, and Windows Server 2025. Microsoft has released security updates with specific build thresholds to remediate this issue. The CVSS 3.1 score of 7.8 reflects high impacts to confidentiality, integrity, and availability through a locally exploitable, low-complexity attack path.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the applicable Microsoft security update to bring systems to the patched build versions for each Windows edition.
  • Prioritize patching on endpoints where low-privileged users have interactive logon access, as the attack vector is local and requires no user interaction.
  • Monitor for anomalous privilege escalation activity related to Desktop Window Manager processes, particularly on unpatched systems.
  • Validate patch deployment across both x64 and ARM64 Windows 11 devices, as both architectures are affected.
  • Review Windows Server 2022, Server 2022 23H2, and Server 2025 systems for patch compliance, as these server platforms are also within the affected scope.

Evidence notes

The vulnerability is confirmed in official Microsoft and NVD sources. CPE data indicates affected Windows 11 builds across multiple feature updates (23H2 through 26H1) for both x64 and ARM64 architectures, plus Windows Server 2022, Server 2022 23H2, and Server 2025. Specific patch build numbers are documented: Windows 11 23H2 before 10.0.22631.6936; Windows 11 24H2 before 10.0.26100.8246; Windows 11 25H2 before 10.0.26200.8246; Windows 11 26H1 before 10.0.28000.1836; Windows Server 2022 before 10.0.20348.5020; Windows Server 2022 23H2 before 10.0.25398.2274; and Windows Server 2025 before 10.0.26100.32690. The CVSS vector confirms local attack vector, low attack complexity, low privileges required, no user interaction, and high impacts across all three security dimensions.

Official resources

Microsoft disclosed this vulnerability through its Security Response Center. The CVE record was initially published on April 14, 2026, with subsequent modification on June 1, 2026, reflecting ongoing analysis or update activity. No known C|