CVE-2026-33838
High
Published: 12 May 2026
Published
12 May 2026
Modified
14 May 2026
KEV Added
—
Patch
—
CVSS Score v3.1
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.0005
15.9th percentile
Risk Priority
16
60% EPSS · 20% KEV · 20% CVSS
Summary
CVE-2026-33838 is a high-severity Double Free (CWE-415) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29584
Vulnerability details
Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?
Double-free memory corruption in a Windows service directly enables local privilege escalation via vulnerability exploitation.
Confidence: HIGH · MITRE ATT&CK Enterprise v18.1
CVEs Like This One
CVE-2026-26163Same product: Microsoft Windows 10 1607
CVE-2026-20832Same product: Microsoft Windows 10 1607
CVE-2026-32074Same product: Microsoft Windows 10 1809
CVE-2026-32069Same product: Microsoft Windows 10 1809
CVE-2026-25174Same product: Microsoft Windows 10 1607
CVE-2026-27920Same product: Microsoft Windows 10 1607
CVE-2026-27910Same product: Microsoft Windows 10 1607
CVE-2026-26180Same product: Microsoft Windows 10 1607
CVE-2026-34338Same product: Microsoft Windows 10 1607
CVE-2026-32077Same product: Microsoft Windows 10 1607
Affected Assets
microsoft
windows 10 1607
≤ 10.0.14393.9140 · ≤ 10.0.14393.9140
microsoft
windows 10 1809
≤ 10.0.17763.8755 · ≤ 10.0.17763.8755
microsoft
windows 10 21h2
≤ 10.0.19044.7291 · ≤ 10.0.19044.7291 · ≤ 10.0.19044.7291
microsoft
windows 10 22h2
≤ 10.0.19045.7291 · ≤ 10.0.19045.7291 · ≤ 10.0.19045.7291
microsoft
windows 11 23h2
≤ 10.0.22631.7079 · ≤ 10.0.22631.7079
microsoft
windows 11 24h2
≤ 10.0.26100.8390 · ≤ 10.0.26100.8390
microsoft
windows 11 25h2
≤ 10.0.26200.8390 · ≤ 10.0.26200.8390
microsoft
windows 11 26h1
≤ 10.0.28000.2113 · ≤ 10.0.28000.2113
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.9140
+4 more product configuration(s) — see NVD for full list
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.