CVE-2026-20822
win32kfull.sys -- use-after-free in graphics component from object lifetime mismanagement
Summary
| Field | Value |
|---|---|
| Driver | win32kfull.sys (Windows Graphics Component) |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | January 13, 2026 |
Context
Win32kfull.sys is the "full" variant of the Win32k subsystem, containing the complete GDI and USER implementations. It is the same component that produced the ITW-exploited CVE-2023-29336, where an unlocked nested menu object was freed during a callback while the parent's teardown path still held a reference. CVE-2026-20822 follows the same fundamental pattern: an object lifetime error that leaves a stale pointer accessible after the pointed-to memory has been freed.
The Win32k Deep Dive documents four categories of Win32k vulnerability patterns. This CVE falls into the "Object Lifetime Errors" category, the simplest variant, where the kernel frees an object too early or fails to increment a reference count before storing a pointer. While simpler than callback reentrancy UAFs, these bugs are equally exploitable.
Root Cause
The Win32k full graphics driver mismanages object lifetimes during graphical rendering operations. During a specific sequence of graphical object manipulation, the driver frees an internal structure and then continues to reference it through a stale pointer. The freed memory returns to the kernel pool, where it can be reclaimed by attacker-controlled allocations.
The specific object type and triggering sequence have not been publicly disclosed. Based on the win32kfull.sys component and the UAF classification, the vulnerable object is likely a GDI rendering structure (bitmap, palette, brush, or device context) or a USER object (window, menu, cursor) involved in rendering.
Exploitation
The attacker triggers the UAF through a specific sequence of graphical object operations reachable from any interactive session. Once the object is freed, the attacker sprays the kernel pool with controlled data sized to match the freed allocation. When win32kfull.sys dereferences the stale pointer, it operates on attacker-supplied content. Depending on the object type, this yields either a direct kernel R/W primitive (if the object contains data pointers) or a controlled function pointer call (if the object contains a vtable or callback).
From the primitive, the attacker performs token manipulation for SYSTEM escalation.
Exploitation Primitive
Graphical object sequence --> UAF --> heap reclaim
--> kernel corruption --> SYSTEM
Broader Significance
CVE-2026-20822 is the twelfth Win32k subsystem vulnerability in the KernelSight corpus, spanning four years. Despite Microsoft's investments in Win32k Type Isolation, syscall lockdown, and callback hardening, the subsystem continues to produce exploitable bugs. The sheer size and complexity of win32kfull.sys, combined with its legacy architecture, means that object lifetime errors will likely continue to surface for years to come.