Microsoft Windows Desktop Window Manager (DWM) Core, type-confusion elevation of privilege

Overview

CVE-2026-21519 is a type-confusion vulnerability (CWE-843) in the Desktop Window Manager (DWM), the Windows compositor that renders the graphical interface for every interactive session. The flaw arises when the DWM Core Library accesses a resource using a type incompatible with the type it was actually allocated as. An attacker who can influence the object layout supplies an object of one type where another is expected, causing the code to misinterpret memory, often turning a benign field into a pointer it then trusts, which yields a controlled read or write and ultimately code execution at SYSTEM. Microsoft rated the issue Important with a CVSS 3.1 base score of 7.8 and confirmed it was exploited in the wild as a zero-day. CISA added it to the Known Exploited Vulnerabilities catalog on 10 February 2026 with a remediation due date of 3 March 2026.

The vulnerability was disclosed and patched in the February 2026 Patch Tuesday release, which addressed six actively exploited zero-days in total. DWM runs in every logged-on session and is reachable from low-privileged code, making it a recurring and attractive local-privilege-escalation target.

Technical Details

Type confusion occurs when code casts or treats a memory object as a type other than the one it truly is, without validating the actual type. In the DWM Core Library, composition and rendering objects are passed across the boundary between a session process and the manager. By crafting an object whose real type differs from the type DWM assumes, an attacker causes DWM to read or write fields at offsets that are valid for the assumed type but not for the real one. Because the two layouts overlap differently, an attacker-controlled value can land where DWM expects a trusted pointer or length, giving a controlled write primitive that is then escalated to arbitrary code execution.

The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H describes a local attack (AV:L) by an already-authenticated low-privileged user (PR:L) that needs no user interaction (UI:N) and results in full SYSTEM compromise (C:H/I:H/A:H). This is a textbook second-stage exploit: an attacker who has obtained any interactive or low-privileged code execution uses it to seize SYSTEM, after which security controls can be disabled and persistence established.

Impact

• Local elevation from any authenticated low-privileged account to SYSTEM via the always-present DWM attack surface.
• Kernel/SYSTEM-level code execution enabling EDR tampering, driver loading, and durable persistence.
• Confirmed zero-day exploitation in the wild, so the bug is already weaponised rather than theoretical.
• Broad exposure across supported Windows 10, Windows 11, and Windows Server editions that run the DWM compositor.

Mitigation

1. Install the February 2026 (10 February 2026) cumulative security update for every affected build without delay; CISA set a federal remediation deadline of 3 March 2026, which is a reasonable urgency benchmark for all organisations.
2. Identify the exact KB for each OS from the MSRC Security Updates table for CVE-2026-21519 and deploy it: the February 2026 cumulative update for Windows 11 24H2, 23H2, and 22H2; for Windows 10 22H2 / 21H2; and the corresponding February 2026 cumulative update or monthly rollup for Windows Server 2025, Server 2022 (including 23H2), Server 2019, and Server 2016.
3. Reboot after installation and verify the OS build advanced to the February 2026 servicing level so the patched DWM Core Library is in effect.
4. Prioritise multi-user and interactive systems, Remote Desktop Session Hosts, VDI/Citrix farms, and shared workstations, because these maximise both exposure to low-privileged users and the payoff of a SYSTEM escape.
5. Reinforce least privilege and application control (WDAC/AppLocker) and keep EDR tamper protection enabled to make the initial low-privilege foothold the exploit requires harder to obtain and to retain.

Detection

Microsoft has not published exploitation specifics, so detection should center on the outcome, a low-privileged process becoming SYSTEM, rather than on a unique payload signature. In EDR telemetry, alert on integrity-level or token transitions where a process started by a standard user acquires SYSTEM context, and on the behaviours that typically follow: creation of new services, driver loads through the kernel service path, scheduled tasks registered as SYSTEM, addition of accounts to privileged groups, or LSASS access shortly after the elevation. Map these to ATT&CK T1068 (exploitation for privilege escalation).

Because DWM is the abused component, watch dwm.exe and the DWM Core Library for instability and anomalies. Crashes or repeated restarts of dwm.exe, or Windows Error Reporting and minidump entries attributing faults to the DWM Core Library or to graphics composition code, can indicate failed or in-progress exploit attempts; forward these crash artifacts centrally for triage. Unexpected child processes parented to or spawned around dwm.exe are similarly suspicious, since DWM does not normally launch arbitrary executables.

Hunt for the staging that precedes local escalation. A user who recently arrived via phishing, a malicious document, or a browser exploit and then exhibits a privilege jump is the high-value pattern; correlate initial-access alerts with subsequent SYSTEM-context activity on the same host within a short window. Sysmon process-create and image-load events help reconstruct the chain.

Finally, fold patch state into detection. Run authenticated vulnerability scans and flag any endpoint still missing the February 2026 cumulative update for its build, then cross-reference those hosts against EDR for signs of low-privileged code execution or DWM instability. Ensure Microsoft Defender and other agents have current behavioural detections, since vendors ship coverage for in-the-wild DWM escalation techniques, and keep tamper protection on so the agent itself survives a successful SYSTEM escape long enough to alert. Retain process-creation and crash telemetry for retrospective analysis as well, because Microsoft withheld exploitation details and additional indicators may surface only after researchers publish deeper analysis of the in-the-wild chain.