Microsoft Patches Win32kfull Local Privilege Escalation Vulnerability (CVE-2026-24285)

Microsoft has released a security update addressing CVE-2026-24285, a local privilege escalation vulnerability in the win32kfull driver. The flaw, which carries a CVSS score of 7.8, allows an attacker with low-privileged code execution on a target system to escalate privileges to SYSTEM. The vulnerability was reported to Microsoft by researcher Marcin Wiazowski and was publicly disclosed on March 10, 2026, through the Zero Day Initiative (ZDI) as advisory ZDI-26-182.

The specific flaw exists within the win32kfull driver, a core component of the Windows graphics subsystem. The issue stems from improper management of a reference count, a common class of memory corruption vulnerability. By exploiting this reference count error, an attacker can manipulate kernel memory to gain elevated privileges and execute arbitrary code in the context of SYSTEM, the highest level of access on a Windows system.

To exploit this vulnerability, an attacker must first obtain the ability to execute low-privileged code on the target system. This could be achieved through other means, such as tricking a user into running a malicious application or exploiting a separate vulnerability to gain initial access. Once low-privileged code execution is achieved, the attacker can leverage CVE-2026-24285 to elevate their privileges to SYSTEM, potentially allowing them to install programs, view, change, or delete data, or create new accounts with full user rights.

Microsoft has issued a security update to correct this vulnerability. Users are strongly advised to apply the update as soon as possible to protect their systems. The update is available through the Microsoft Security Response Center (MSRC) at the following link provided in the advisory. The vulnerability affects all supported versions of Microsoft Windows.

The disclosure timeline indicates that the vulnerability was reported to Microsoft on December 2, 2025, and the coordinated public release of the advisory occurred on March 10, 2026. This three-month window is typical for responsible disclosure, allowing the vendor time to develop and test a patch before public details are released.

This vulnerability highlights the ongoing challenge of memory safety in operating system kernels. The win32kfull driver has been a frequent source of privilege escalation vulnerabilities in Windows, with numerous similar flaws patched over the years. While Microsoft has made significant strides in hardening the kernel, the complexity of the codebase means that reference count errors and other memory management issues continue to be discovered.

Users and administrators should prioritize applying the March 2026 security update to mitigate the risk posed by CVE-2026-24285. Given the local nature of the exploit, the primary threat is from malicious software already running on a system, making it critical to maintain good security practices such as running with the least privileges necessary and keeping software up-to-date antivirus protection.