Microsoft Windows Win32kfull LPE Vulnerability (CVE-2026-24285) Patched
Microsoft has released a security update for a local privilege escalation vulnerability in the win32kfull driver, tracked as CVE-2026-24285, which allows attackers to gain SYSTEM privileges.
Microsoft has patched a local privilege escalation vulnerability in the Windows win32kfull driver, designated CVE-2026-24285. The flaw, reported by researcher Marcin Wiazowski via the Zero Day Initiative, allows an attacker with low-privileged code execution to escalate privileges to SYSTEM. The vulnerability carries a CVSS score of 7.8, indicating high severity.
The issue lies in improper reference count management within the win32kfull driver. By exploiting this flaw, an attacker can manipulate kernel object references to gain elevated access. The attack requires local access and low privileges, but once exploited, it grants full control over the system. This type of vulnerability is commonly used in post-exploitation scenarios to bypass security restrictions.
Microsoft has issued a security update as part of its March 2026 Patch Tuesday release. The update addresses the vulnerability by correcting the reference count handling in the win32kfull driver. Users are strongly advised to apply the update promptly to mitigate the risk of exploitation.
The vulnerability was disclosed through a coordinated disclosure process, with the report submitted to Microsoft on December 5, 2025, and the advisory released on March 10, 2026. The Zero Day Initiative published the advisory (ZDI-26-181) detailing the flaw and the patch.
While no active exploitation has been publicly reported, local privilege escalation vulnerabilities in Windows kernel components are frequently targeted by malware and threat actors. The win32kfull driver has been a common source of such bugs in the past, making this patch critical for enterprise environments where attackers may already have a foothold.
Organizations should prioritize testing and deploying the update, especially on systems where users have limited privileges but could be compromised via phishing or other means. The update is available through Windows Update and the Microsoft Update Catalog.
This vulnerability highlights the ongoing challenge of memory safety in kernel-mode drivers. Microsoft continues to invest in mitigations like Virtualization-Based Security (VBS) and driver hardening, but flaws in reference counting remain a persistent issue. Users are encouraged to enable additional security features such as Credential Guard and Device Guard to reduce the impact of such vulnerabilities.