CVE-2026-20842
dwmcore.dll -- elevation of privilege in Desktop Window Manager
Summary
| Field | Value |
|---|---|
| Driver | dwmcore.dll (Desktop Window Manager Core Library) |
| Vulnerability Class | Elevation of Privilege |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | January 13, 2026 |
Context
The Desktop Window Manager is an increasingly important target for privilege escalation. DWM runs as SYSTEM and handles all desktop composition, meaning it processes input from every interactive application on the system. Any memory corruption within the DWM process yields SYSTEM privileges without needing a kernel-to-user boundary crossing.
CVE-2026-20842 is the seventh DWM vulnerability in the KernelSight corpus. The trajectory of DWM bugs has accelerated: CVE-2025-30400 was exploited in the wild, and CVE-2026-21519 was a zero-day patched in February 2026. The DWM attack surface is following the same trajectory that win32k took a decade earlier, moving from occasional bugs to a reliable exploitation target.
Root Cause
Microsoft's advisory confirms a privilege escalation in the DWM Core Library without disclosing the specific mechanism. DWM vulnerabilities in this corpus have included use-after-free in composition surfaces, type confusion in window composition, heap buffer overflow in surface processing, out-of-bounds access, and improper input validation. The common thread is that DWM processes complex graphical data structures from lower-privileged processes and must do so correctly every time. Any validation gap yields a SYSTEM-context primitive.
Exploitation
A local attacker sends crafted DWM operations through the composition interfaces accessible from any interactive session. The operations trigger memory corruption within the DWM process. Since DWM runs as SYSTEM, the corruption directly yields SYSTEM-context code execution.
Exploitation Primitive
Crafted DWM operation --> memory corruption
--> code execution in DWM (SYSTEM)
Broader Significance
DWM's role as a SYSTEM-level process that processes user-influenced graphical data makes it architecturally similar to win32k, but without many of the mitigations that Microsoft has applied to win32k over the past decade. There is no DWM-specific type isolation, no syscall lockdown policy, and no callback hardening equivalent. As attackers shift away from heavily mitigated surfaces like win32k, DWM becomes an increasingly attractive alternative.