About Elevation of Privilege – Desktop Window Manager (CVE-2026-21519) vulnerability. The vulnerability is from the February Microsoft Patch Tuesday. Desktop Window Manager is a compositing window manager included in Windows starting with Windows Vista. A Type Confusion error (CWE-843) in Desktop Window Manager allows an authorized attacker to locally elevate privileges to the SYSTEM level. By fixing this vulnerability, Microsoft most likely attempted to counter the same attacker who exploited the January Information Disclosure vulnerability (CVE-2026-20805) in the same component. It is possible that the original fix did not fully resolve the issue.
👾 Microsoft reports that the vulnerability has been exploited in the wild. The vulnerability has been in the CISA KEV since February 10.
🛠 No public exploits are available yet.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.