Microsoft Fixes Windows Elevation-of-Privilege Flaws in tdx.sys and DWM Core
Microsoft published security updates for multiple Windows elevation-of-privilege vulnerabilities affecting the TDI Translation Driver (tdx.sys) and the DWM Core Library. The disclosures include CVE-2026-27908 and CVE-2026-27921 in tdx.sys, CVE-2026-25189 in the DWM Core Library, and an earlier related TDI Translation Driver issue, CVE-2025-49659. Microsoft classified the flaws as local privilege-escalation bugs that could let an authenticated attacker gain higher privileges on a vulnerable system.
Microsoft said CVE-2026-27908 is a use-after-free vulnerability tracked as CWE-416 with a CVSS 3.1 score of 7.0, and warned exploitation is more likely despite requiring high attack complexity because the attacker must win a race condition. The company stated the issue was not publicly disclosed and not exploited in the wild at publication, and credited Angelboy (@scwuaptx) of DEVCORE for reporting it. Fixes were made available through the Microsoft Security Update Guide for all listed vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft releases fix for CVE-2026-27921 in Windows TDI Translation Driver
Microsoft published a Security Update Guide entry for CVE-2026-27921, an elevation-of-privilege vulnerability in the Windows TDI Translation Driver (tdx.sys). The entry marks the vulnerability's formal disclosure with a security update available.
Microsoft discloses and fixes CVE-2026-27908 reported by DEVCORE
Microsoft disclosed CVE-2026-27908, a use-after-free elevation-of-privilege flaw in the Windows TDI Translation Driver (tdx.sys) that could let a low-privileged local attacker gain SYSTEM privileges. Microsoft rated exploitation more likely, said the flaw was not publicly disclosed or exploited in the wild at publication, released a fix, and credited Angelboy of DEVCORE for reporting it.
Microsoft discloses and patches CVE-2026-25189 in Windows DWM Core Library
Microsoft published Security Update Guide entries for CVE-2026-25189, an elevation-of-privilege vulnerability in the Windows DWM Core Library. The advisory and vulnerability pages reflect the same disclosure and patch event.
Microsoft releases fix for CVE-2025-49659 in Windows TDI Translation Driver
Microsoft published a Security Update Guide entry for CVE-2025-49659, an elevation-of-privilege vulnerability in the Windows Transport Driver Interface (TDI) Translation Driver. The advisory indicates the vulnerability was formally disclosed with an update available.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2026-27921 - Security Update Guide - Microsoft - Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-27908 - Security Update Guide - Microsoft - Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-25189 - Security Update Guide - Microsoft - Windows DWM Core Library Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-25189 - Security Update Guide - Microsoft - Windows DWM Core Library Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49659 - Security Update Guide - Microsoft - Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Repeated Elevation-of-Privilege Flaws in DWM Core Library
Microsoft has issued security advisories for multiple **Desktop Window Manager (DWM) Core Library** elevation-of-privilege vulnerabilities affecting Windows, including `CVE-2022-21902`, `CVE-2022-41096`, `CVE-2024-43629`, `CVE-2025-21304`, and `CVE-2025-53801`. The flaws were published across several update cycles through the Microsoft Security Response Center, indicating a recurring security issue in the component responsible for Windows desktop composition and rendering. The advisories identify the vulnerabilities as **elevation of privilege** issues in the Windows or Microsoft DWM Core Library, meaning successful exploitation could allow an attacker with existing access to gain higher privileges on a targeted system. Microsoft released fixes through its Security Update Guide and related portal advisories, making patching a priority for organizations that rely on Windows endpoints and servers where the DWM component is present.
May 25, 2026
Microsoft Patches Multiple Windows Use-After-Free Privilege Escalation Flaws
Microsoft released fixes for several **Windows elevation-of-privilege vulnerabilities** affecting **Win32k**, **Windows Telephony Service**, **Desktop Window Manager**, and the **Windows Cloud Files Mini Filter Driver**. The disclosed flaws include `CVE-2026-34347`, `CVE-2026-42825`, `CVE-2026-27923`, and `CVE-2026-35418`, and are all tied to **use-after-free** conditions, with some cases also involving race conditions such as time-of-check time-of-use behavior. Microsoft said successful exploitation could let a locally authenticated attacker with low privileges gain **SYSTEM** access without user interaction. The vulnerabilities were rated **Important** with **CVSS 3.1 scores ranging from 7.0 to 7.8**, and Microsoft assessed exploitation as **less likely or unlikely** because several attacks require winning a race condition. At the time of disclosure, Microsoft reported **no public disclosure and no evidence of active exploitation** for the documented 2026 flaws, and stated that official security updates were available. Additional Microsoft advisories also reference related Windows and Microsoft Brokering File System elevation-of-privilege issues, including `CVE-2026-24285`, `CVE-2025-32712`, `CVE-2025-21372`, `CVE-2025-21315`, and `CVE-2025-59189`, though public technical details for those entries were limited.
May 25, 2026
Microsoft Fixes Multiple Windows Elevation of Privilege Flaws
Microsoft published security updates for several Windows elevation of privilege vulnerabilities affecting core components, including **Windows Storage Spaces Controller**, **Windows SMB Client**, and **Windows Speech Runtime**. The issues were tracked as `CVE-2026-27907`, `CVE-2025-32718`, and `CVE-2025-58715`, respectively, and all could allow attackers to gain higher privileges on affected systems after initial access. Among the disclosed flaws, Microsoft provided the most detail for `CVE-2026-27907`, describing it as an **integer underflow** issue (`CWE-191`) in Windows Storage Spaces Controller that could let a locally authenticated low-privileged attacker elevate privileges to **SYSTEM** without user interaction. Microsoft rated that vulnerability **Important** with a **CVSS 3.1 score of 7.8**, said it was not publicly disclosed or exploited at publication, assessed exploitation as less likely, and released an official fix as part of its security guidance.
May 25, 2026