Description
Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a type confusion flaw in the Windows Win32K component, where an attacker with local authorized access can manipulate resources of an incompatible type. This flaw results in the attacker gaining elevated privileges on the affected system, potentially allowing execution of code with administrative rights.

Affected Systems

Affected Microsoft Windows products include Windows 10 versions 1809, 21H2, 22H2, Windows 11 versions 23H2, 24H2, 25H2, 22H3, 26H1, and the Windows Server line — 2019, 2022, 2025 including Server Core installations.

Risk and Exploitability

The CVSS score of 7.8 marks this flaw as high‑severity, and although the EPSS score is not available, the lack of entry in CISA’s KEV catalog suggests no widespread exploitation has been observed yet. The likely attack vector is local, requiring the attacker to already have a user session on the compromised machine, after which the type confusion can be triggered to elevate to administrative rights.

Generated by OpenCVE AI on May 12, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Microsoft security update for CVE‑2026‑35417 on all affected Windows 10, Windows 11 and Windows Server installations. The update is available in the Microsoft Security Advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35417.
  • Configure the operating system to automatically deploy the cumulative update so that future patches are applied without manual intervention.
  • Until the update is in place, enforce least privilege by limiting local administrator accounts and monitoring for unusual privilege‑escalation activity.

Generated by OpenCVE AI on May 12, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
Title Windows Win32k Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-843
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 22h2 Windows 11 23h2 Windows 11 24h2 Windows 11 25h2 Windows 11 26h1 Windows Server 2019 Windows Server 2022 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:56:00.836Z

Reserved: 2026-04-02T19:21:11.804Z

Link: CVE-2026-35417

cve-icon Vulnrichment

Updated: 2026-05-12T19:46:28.990Z

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:12.120

Modified: 2026-05-12T18:17:12.120

Link: CVE-2026-35417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T19:45:15Z

Weaknesses