CVE-2026-21519

Desktop Window Manager — type confusion allows SYSTEM escalation

Exploited in the Wild

Actively exploited zero-day. Part of six zero-days patched in February 2026.

Summary

Field	Value
Driver	dwm.exe / dwmcore.dll (Desktop Window Manager)
Vulnerability Class	Type Confusion
CVSS	7.8
Exploited ITW	Yes
Patch Date	February 10, 2026

Root Cause

Type confusion in the Desktop Window Manager lets a standard user escalate to SYSTEM. DWM runs as SYSTEM, so any code execution within DWM grants full privileges. Second DWM zero-day after CVE-2025-30400.

Exploitation

Crafted window composition operations trigger the type confusion. Misinterpreted object types let the attacker read or write kernel memory through the DWM process.

Exploitation Primitive

Type confusion in DWM composition → memory corruption in SYSTEM-context process → SYSTEM

References

• MSRC Advisory
• Krebs on Security — February 2026 Patch Tuesday
• CyberSecurityNews — Desktop Window Manager 0-Day
• Malwarebytes — February 2026 Patch Tuesday