CVE-2026-23668: Microsoft Windows cdd.dll Improper Locking Flaw Allows Local Privilege Escalation to SYSTEM
Microsoft has patched a high-severity local privilege escalation vulnerability in the Windows cdd.dll driver that allows attackers with low-privileged code execution to gain SYSTEM-level access.
Microsoft has released a security update addressing CVE-2026-23668, a critical local privilege escalation vulnerability in the Windows cdd.dll driver. Discovered by researcher Marcin Wiazowski and reported through the Zero Day Initiative (ZDI-26-178), the flaw carries a CVSS score of 8.8 and allows an attacker who already has low-privileged code execution on a target system can exploit it to elevate privileges to SYSTEM, the highest level of access on Windows.
The vulnerability resides in the cdd.dll driver, a component of the Windows graphics subsystem. The issue stems from improper locking when performing operations on an object, a classic race condition that can be triggered by a local attacker. By exploiting this lack of synchronization, an attacker can manipulate kernel objects to execute arbitrary code in the context of SYSTEM, effectively taking full control of the affected machine.
Because the vulnerability requires local access and prior low-privileged code execution, it is most dangerous in multi-user environments such as enterprise desktops, terminal servers, or sandboxed applications. An attacker who compromises a single user account or breaches a sandbox can leverage this flaw to pivot to SYSTEM, bypassing user account control and other security boundaries. The vulnerability does not require user interaction beyond the initial compromise.
Microsoft has issued a security update as part of its March 2026 Patch Tuesday release. The update is available via Windows Update and the Microsoft Update Catalog. The advisory, linked from the MSRC page for CVE-2026-2026-23668, provides details on affected Windows versions and the specific patch. Users and administrators are strongly advised to apply the update promptly, especially on systems where untrusted users have local access.
This vulnerability is part of a broader pattern of privilege escalation flaws in Windows kernel drivers. Similar issues have been disclosed in recent months, including the "MiniPlasma" zero-day exploit and other cdd-related bugs. The discovery by Marcin Wiazowski, a frequent contributor to ZDI's program, underscores the ongoing challenge of ensuring proper locking and synchronization in kernel-mode code.
Organizations should prioritize patching this vulnerability, particularly on servers and workstations used by multiple users or in environments with strict security requirements. While no active exploitation has been reported in the wild, the high CVSS score and the availability of 8.8 and the availability of a proof-of-concept exploit make it a likely target for attackers seeking to escalate privileges after an initial foothold.