Skip to content
Threat Feed
high advisory

CVE-2026-32165 Use-After-Free in Windows User Interface Core

CVE-2026-32165 is a use-after-free vulnerability in Windows User Interface Core that allows a locally authenticated attacker to elevate privileges.

CVE-2026-32165 is a critical use-after-free vulnerability affecting the Windows User Interface Core. This vulnerability allows a locally authenticated attacker to achieve privilege escalation on a vulnerable system. The vulnerability exists because the User Interface Core improperly handles objects in memory, leading to a situation where an attacker can manipulate a pointer to a freed memory region. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code with elevated privileges. This vulnerability poses a significant threat to Windows systems, as local attackers could leverage it to gain administrative control. Defenders should apply the patch released by Microsoft as soon as possible.

Attack Chain

  1. The attacker gains local access to a Windows system.
  2. The attacker crafts a specific input that triggers the vulnerability in the Windows User Interface Core.
  3. The crafted input causes the User Interface Core to free a memory region.
  4. The attacker manipulates the memory layout to reallocate the freed memory region with attacker-controlled data.
  5. The User Interface Core attempts to access the reallocated memory region using the dangling pointer, resulting in a use-after-free condition.
  6. The attacker leverages the use-after-free condition to overwrite critical system data.
  7. The attacker injects malicious code into a privileged process.
  8. The attacker successfully elevates privileges to execute arbitrary code with SYSTEM privileges.

Impact

Successful exploitation of CVE-2026-32165 allows a local attacker to elevate privileges to SYSTEM, the highest level of privilege in Windows. This would allow the attacker to perform any action on the system, including installing malware, stealing sensitive data, and creating new user accounts with administrative privileges. Given the nature of the vulnerability and the potential for complete system compromise, this poses a serious risk to affected Windows systems.

Recommendation

  • Apply the security update released by Microsoft to patch CVE-2026-32165 immediately to prevent potential exploitation.
  • Enable process creation logging to monitor for suspicious processes being launched, which could indicate successful exploitation of this vulnerability.
  • Implement the provided Sigma rule to detect potential exploitation attempts targeting the Windows User Interface Core.
  • Monitor for unexpected registry modifications or file system changes made by processes related to the Windows User Interface Core.

Detection coverage 2

Detect Potential Use-After-Free Exploitation in UI Core

high

Detects suspicious process creations that might be indicative of exploiting CVE-2026-32165 in the Windows UI Core.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detect Modification of UI Automation Settings

medium

Detects changes to registry keys related to UI Automation, which may be manipulated during exploitation attempts.

sigma tactics: privilege_escalation techniques: T1547.001 sources: registry_set, windows

Detection queries are kept inside the platform. Get full rules →