Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-21519

Published 2026-02-10
Updated 3 months ago
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.14393.8868
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.8
/ 10
High
Severity Details
Base score
7.8 High
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2026-21519 is a high-severity privilege escalation vulnerability in Windows Desktop Window Manager currently under active exploitation.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1607 * 10.0.14393.8868 vulnerable
windows_10_1607 * 10.0.14393.8868 vulnerable
windows_10_1809 * 10.0.17763.8389 vulnerable
windows_10_1809 * 10.0.17763.8389 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_11_23h2 * 10.0.22631.6649 vulnerable
windows_11_23h2 * 10.0.22631.6649 vulnerable
windows_11_24h2 * 10.0.26100.7781 vulnerable
windows_11_24h2 * 10.0.26100.7781 vulnerable
windows_11_25h2 * 10.0.26200.7781 vulnerable
windows_11_25h2 * 10.0.26200.7781 vulnerable
windows_server_2016 * 10.0.14393.8868 vulnerable
windows_server_2019 * 10.0.17763.8389 vulnerable
windows_server_2022 * 10.0.20348.4711 vulnerable
windows_server_2022_23h2 * 10.0.25398.2149 vulnerable
windows_server_2025 * 10.0.26100.32313 vulnerable

Related weakness (CWE)

CWE-843

Remediation plan

1

Apply official patches

Install the latest security updates provided by Microsoft via Windows Update or Windows Server Update Services (WSUS) to address the DWM type confusion flaw.

2

Update affected systems

Ensure Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2), and Windows Server (2016-2025) are updated beyond the specific build thresholds, such as 10.0.19045.6937 for Windows 10 22H2.

3

Restrict access

Enforce the principle of least privilege (PoLP) by limiting local administrative rights and restricting access to sensitive system components for standard users to minimize the attack surface.

4

Monitor for exploitation

Track unusual behavior in the dwm.exe process, including frequent crashes or unexpected child processes, which may indicate an attempted privilege escalation exploit.

Detection Guidance

Detect exploitation by monitoring Windows Event Logs for frequent crashes of the dwm.exe process (Event ID 1000). Use Endpoint Detection and Response (EDR) tools to flag suspicious process trees where a low-privilege user spawns a system-level shell or process via DWM. Additionally, look for memory corruption artifacts or unusual API calls associated with type confusion in the Desktop Window Manager service.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21519 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial