CVE- CVE-2026-24285: Microsoft Windows win32kfull Driver Flaw Allows Local Privilege Escalation to SYSTEM
Microsoft has patched a local privilege escalation vulnerability in the Windows win32kfull driver, tracked as CVE-2026-24285, which allows an attacker with low-privileged code execution to gain SYSTEM-level access.
Microsoft has released a security update to address CVE-2026-24285, a local privilege escalation vulnerability in the Windows win32kfull driver. The flaw, disclosed on March 10, 2026, by the Zero Day Initiative (ZDI) and reported by researcher Marcin Wiazowski, allows an attacker who already has low-privileged code execution on a target system to elevate privileges to SYSTEM. The vulnerability carries a CVSS score of 7.8, with a vector of AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, reflecting the high impact on confidentiality, integrity, and availability despite the need for local access and high attack complexity.
The root cause of CVE-2026-24285 lies in improper reference count management within the win32kfull driver. Reference counting is a memory management technique used to track how many objects or handles reference a particular resource. When the count is mishandled, it can lead to use-after-free conditions or other memory corruption issues. An attacker can exploit this to execute arbitrary code in the context of the SYSTEM account, effectively gaining full control over the affected Windows machine.
This vulnerability affects all supported versions of Microsoft Windows. The win32kfull driver is a core component of the Windows graphics subsystem, responsible for handling window management, input processing, and other user-mode graphics operations. Because the driver runs with kernel-level privileges, any flaw that allows code execution within it can be leveraged for complete system compromise. The attack requires the attacker to already have some level of code execution on the system, making it a post-exploitation escalation vector rather than an initial entry point.
Microsoft has issued a security update as part of its March 2026 Patch Tuesday release. The update is available through the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24285. Users and administrators are strongly advised to apply the patch immediately, especially on systems where untrusted users have local access or where low-privilege accounts could be compromised through other means.
The disclosure timeline shows that Wiazowski reported the vulnerability to Microsoft on December 2, 2025, and coordinated public release occurred on March 10, 2026. This three-month window is typical for responsible disclosure, allowing the vendor time to develop and test a fix before public details emerge. No evidence of in-the-wild exploitation has been reported at this time, but the availability of technical details in the advisory increases the risk of reverse engineering and exploit development.
Local privilege escalation vulnerabilities in Windows kernel components remain a persistent threat. Similar flaws in win32k and related drivers have been exploited in the past by both cybercriminals and nation-state actors to break out of sandboxes or elevate from limited access. The inclusion of this vulnerability in the March 2026 patch cycle underscores the importance of keeping Windows systems up to date, particularly for enterprise environments where privilege separation is a key security boundary.