A zero-day vulnerability in the Windows Desktop Window Manager (DWM) is currently under active exploitation.
Microsoft released patches today, February 10, 2026, to address this flaw as part of the monthly security update cycle.
The vulnerability, tracked as CVE-2026-21519, allows attackers to gain SYSTEM-level privileges on compromised machines.
Technical Breakdown
This flaw is a “Type Confusion” vulnerability (CWE-843) located within the Desktop Window Manager, the Windows component responsible for visual effects like transparent windows and live taskbar thumbnails.
In a type confusion attack, the program is tricked into accessing a resource using an incompatible type.
For CVE-2026-21519, this confusion allows a local attacker, someone who already has basic access to the system, to execute code with elevated permissions.
- Attack Vector: Local (The attacker must be logged in or have remote execution ability).
- Privileges Required: Low (Standard user accounts can trigger it).
- Impact: Elevation of Privilege (EoP) to SYSTEM, the highest level of administrative control in Windows.
Microsoft’s advisory confirms that this vulnerability has been “Exploited” in the wild, classifying it as a zero-day.
The discovery is credited to the Microsoft Threat Intelligence Center (MSTIC), suggesting it may have been used in targeted attacks before today’s patch.
The vulnerability affects a broad range of Windows operating systems, from older Server 2016 installations to the latest Windows 11 builds.
Administrators should prioritize the following updates immediately:
| OS Version | Knowledge Base (KB) Article |
|---|---|
| Windows 11 v26H1 | [KB5077179] |
| Windows 11 v25H2 / v24H2 | [KB5077181] or [KB5077212] |
| Windows 11 v23H2 | [KB5075941] |
| Windows 10 v21H2 / v22H2 | [KB5075912] |
| Windows Server 2025 | [KB5075899] or [KB5075942] |
| Windows Server 2022 | [KB5075906], [KB5075943], or [KB5075897] |
| Windows Server 2019 | [KB5075904] |
| Windows Server 2016 | [KB5075999] |
Because this flaw is being actively exploited, organizations should treat these updates as an emergency.
- Patch Immediately: Apply the relevant KB for your OS version.
- Verify Installation: Ensure the update is successfully installed and the system is rebooted.
- Monitor Logs: While the patch prevents future exploitation, security teams should review logs for suspicious process creation involving
dwm.exeto detect past compromises.
The vulnerability carries a CVSS base score of 7.8 (High Severity). While it requires local access, its ability to grant full system control makes it a critical link in attack chains .
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
