Microsoft Patches Critical Win32kfull Privilege Escalation Flaw CVE-2026-23668
Microsoft has released a patch for CVE-2026-23668, a critical local privilege escalation vulnerability in the win32kfull driver that allows attackers to gain SYSTEM privileges.
Microsoft has issued a security update to address CVE-2026-23668, a critical local privilege escalation vulnerability in the Windows win32kfull driver. The flaw, disclosed by the Zero Day Initiative as ZDI-26-179, carries a CVSS score of 8.8 and allows an attacker with low-privileged code execution on a target system to escalate privileges to SYSTEM.
The vulnerability resides in the win32kfull driver, a core component of the Windows graphics subsystem. According to the advisory, the issue stems from improper locking when performing operations on an object. This race condition or synchronization flaw enables a local attacker to manipulate kernel-mode objects, ultimately achieving arbitrary code execution in the highest privilege context available on Windows.
To exploit CVE-2026-23668, an attacker must first gain the ability to execute low-privileged code on the target system, such as through a malicious application or a separate initial access vector. Once achieved, the exploit can be triggered locally to bypass user account controls and gain full SYSTEM-level access, effectively compromising the entire machine.
The vulnerability was reported to Microsoft by researcher Marcin Wiazowski on December 2, 2025. Microsoft coordinated the disclosure and released a patch on March 10, 2026, as part of its regular Patch Tuesday cycle. The update is available through the Microsoft Security Response Center (MSRC) at this link.
Given the high CVSS score and the fact that the vulnerability requires only low privileges to exploit, it, CVE-2026-23668 is considered a significant threat in enterprise environments where attackers often chain multiple local privilege escalation flaws to move laterally or gain persistence. Organizations are strongly advised to apply the patch promptly, especially on workstations and servers where untrusted users or applications may be present.
This vulnerability is part of a broader pattern of privilege escalation flaws in the Windows kernel that Microsoft patches regularly. The win32kfull driver has been a frequent source of such bugs, making it a key target for both security researchers and threat actors. The coordinated disclosure timeline and the availability of a patch mean that exploitation in the wild is less likely, but unpatched systems remain at risk.