CVE-2026-21519
Desktop Window Manager -- type confusion zero-day exploited in the wild, second DWM zero-day in under a year
Exploited in the Wild
Actively exploited zero-day. Part of six zero-days patched in February 2026.
Summary
| Field | Value |
|---|---|
| Driver | dwm.exe / dwmcore.dll (Desktop Window Manager) |
| Vulnerability Class | Type Confusion |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | February 10, 2026 |
Context
February 2026's Patch Tuesday included six zero-days, and CVE-2026-21519 was among them. It is the second Desktop Window Manager zero-day in under a year, following CVE-2025-30400 (use-after-free in composition surfaces, May 2025). The pattern is clear: DWM has graduated from an occasional EoP source to a zero-day target.
DWM's appeal to attackers is straightforward. It runs as SYSTEM. It processes complex graphical composition data from every interactive application. And unlike win32k, which has received over a decade of targeted mitigation work (type isolation, syscall lockdown, callback hardening), DWM has no comparable mitigation framework. The SYSTEM-context DWM process is essentially a user-mode kernel: any code execution within it yields full privileges.
Root Cause
A type confusion in the Desktop Window Manager's composition handling causes the process to misinterpret one object type as another. When DWM processes crafted window composition operations, it applies the wrong type interpretation to an object, accessing fields at incorrect offsets or calling function pointers from the wrong vtable. The confusion gives the attacker either a controlled read/write through misinterpreted data fields or a controlled function pointer call through a misinterpreted vtable entry.
This is the same bug class as CVE-2022-21882 (WndExtra type confusion in win32kbase.sys), but occurring in the DWM user-mode process rather than the kernel. The impact is equivalent because DWM runs as SYSTEM.
Exploitation
Crafted window composition operations trigger the type confusion. The attacker creates specific window and surface configurations that cause DWM to misinterpret an object. Through the misinterpreted fields, the attacker reads or writes DWM process memory with controlled offsets and values. Since DWM runs as SYSTEM, this memory corruption yields a direct SYSTEM-context primitive.
The exact delivery mechanism for the ITW exploit has not been publicly detailed. The February 2026 Patch Tuesday was covered by Krebs on Security, CyberSecurityNews, and Malwarebytes, all confirming active exploitation across the six zero-days.
Exploitation Primitive
Type confusion in DWM composition --> memory corruption in SYSTEM-context process --> SYSTEM
Broader Significance
Two DWM zero-days in under a year signals a shift in the Windows exploitation landscape. As win32k becomes harder to exploit due to accumulated mitigations, DWM emerges as the next major SYSTEM-context target. The February 2026 patch batch, with six simultaneously exploited zero-days, also suggests that attackers stockpile multiple exploit chains and deploy them in coordinated campaigns. Defenders who patch only after public exploitation may face adversaries with reserves of unpublished bugs in the same components.