Microsoft Patches CVE-2026-33104: Win32k LPE Vulnerability Allows SYSTEM Access to SYSTEM
Microsoft has released a patch for CVE-2026-33104, a local privilege escalation vulnerability in the win32kfull driver that allows attackers with low-privileged code execution to gain SYSTEM privileges.
Microsoft has released a security update addressing CVE-2026-33104, a local privilege escalation (LPE) vulnerability in the Windows win32kfull driver. The flaw, disclosed by the Zero Day Initiative as ZDI-26-278, carries a CVSS score of 7.8 and was reported by security researcher Marcin Wiazowski. An attacker who first obtains the ability to execute low-privileged code on a target system can exploit this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.
The vulnerability stems from improper locking when performing operations on an object within the win32kfull driver. This class of race condition or missing synchronization flaw is a common pattern in kernel-mode drivers, where concurrent access to shared resources without proper locking can lead to use-after-free or double-fetch conditions. In this case, an attacker can leverage the race to overwrite kernel structures and gain elevated privileges.
Microsoft has classified the vulnerability as "Important" and has released a patch through its standard update mechanism. The update is available via the Microsoft Security Response Center (MSRC) at this advisory. Users and administrators are strongly advised to apply the update as soon as possible, particularly on systems where untrusted users have local access.
The disclosure timeline shows that the vulnerability was reported to Microsoft on February 25, 2026, and the coordinated public release of the advisory occurred on April 15, 2026. This roughly 50-day turnaround is typical for Microsoft's patch cycle, though the severity of the flaw — allowing full SYSTEM access from a low-privileged foothold — underscores the importance of timely patching.
While no active exploitation has been publicly reported at the time of disclosure, the nature of the vulnerability makes it a prime target for malware authors and penetration testers alike. Local privilege escalation bugs in the Windows kernel are frequently chained with other vulnerabilities or used by post-exploitation frameworks to achieve full system compromise. The win32kfull driver has been a historically rich source of such bugs, with dozens of similar CVEs patched over the past decade.
Organizations should prioritize this update as part of their regular patch management cycle. For environments where immediate patching is not feasible, Microsoft has not provided any specific workarounds beyond applying the security update. Given the local attack vector and the requirement for prior code execution, the most effective mitigation remains restricting local access to trusted users and maintaining up-to-date endpoint protection.