Skip to content
Threat Feed
medium advisory

CVE-2026-34336 - Windows DWM Core Library Buffer Over-Read Information Disclosure

CVE-2026-34336 is a buffer over-read vulnerability in the Windows DWM Core Library, allowing a local, authenticated attacker to disclose sensitive information.

CVE-2026-34336 is a buffer over-read vulnerability affecting the Windows DWM (Desktop Window Manager) Core Library. The vulnerability allows an attacker with local access and valid credentials to potentially read sensitive information from memory. Due to the nature of the vulnerability being a buffer over-read, it could lead to the disclosure of information that could be leveraged for further exploitation or to gain unauthorized access to sensitive data. The CVSS v3.1 score is rated as High (7.8), indicating a significant potential impact if successfully exploited. Defenders should apply the security update provided by Microsoft to mitigate this risk.

Attack Chain

  1. Attacker gains local access to a Windows system with valid user credentials.
  2. Attacker executes a specially crafted application that interacts with the DWM Core Library.
  3. The crafted application triggers a buffer over-read within the DWM Core Library during a memory operation.
  4. The over-read allows the application to read data beyond the intended buffer boundary in memory.
  5. Sensitive information, such as cryptographic keys or other user data, is exposed due to the buffer over-read.
  6. The attacker’s application captures the disclosed information from the memory.
  7. The attacker analyzes the captured information to identify sensitive data.
  8. The attacker uses the disclosed sensitive information to escalate privileges or gain unauthorized access to other resources.

Impact

Successful exploitation of CVE-2026-34336 allows an attacker to read potentially sensitive information from the memory of the affected system. This information could include user credentials, cryptographic keys, or other confidential data. An attacker with this information can escalate their privileges, compromise other systems, or steal sensitive data. This vulnerability requires local access, limiting the scale of potential attacks, but successful exploitation can have significant consequences for affected systems and users.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-34336 in the Windows DWM Core Library as referenced in the advisory URL.
  • Monitor process creation events for unusual or unsigned executables interacting with the DWM.exe process using the provided Sigma rule.
  • Enable and review Windows event logs for any errors related to the DWM service to identify potential exploitation attempts.

Detection coverage 2

Detects CVE-2026-34336 Exploitation Attempt — DWM Interaction by Unusual Process

medium

Detects a process that is not typically associated with DWM interacting with the DWM process, potentially indicating an exploitation attempt of CVE-2026-34336.

sigma tactics: discovery techniques: T1068 sources: process_creation, windows

Detects CVE-2026-34336 Exploitation Attempt - DWM Related Process Crash

low

Detects a DWM related process crashing, potentially indicating an exploitation attempt of CVE-2026-34336

sigma tactics: impact techniques: T1499.001 sources: application, windows

Detection queries are available on the platform. Get full rules →