• News
  • Positive Technologies and Microsoft collaborate to enhance operating system security
News

Positive Technologies and Microsoft collaborate to enhance operating system security

Exploiting these vulnerabilities could allow an attacker to escalate privileges and take full control of affected devices

Microsoft has released security updates for two desktop and four server editions of Windows across various versions and architectures to patch two zero-day vulnerabilities in the Desktop Window Manager (DWM). The flaws were discovered by Sergey Tarasov, a specialist at the Positive Technologies Expert Security Center (PT ESC). The vendor has been notified of the threat in line with the responsible disclosure policy and recommends that users apply the patches as soon as possible.

Security flaws in Windows operating systems threaten individual users as well as organizations of all sizes. According to the web analytics platform Statcounter, Microsoft dominates the personal computer market, holding a 63% global market share in this segment.
 

The vulnerabilities, tracked as PT-2026-401801 (CVE-2026-35419; BDU: 2026-02246) and PT-2026-40155 (CVE-2026-34336; BDU: 2026-02245), were found in the dwmcore.dll module, a component of the Desktop Window Manager (DWM). DWM is responsible for rendering the graphical user interface, including the desktop, applications, windows, animations, and visual effects. The affected systems include Windows 10, Windows 11, Server 2019, Server 2022, and Server 2025. The full list of systems is available in Microsoft's official security advisories (1, 2).

The vulnerabilities were rated as high and medium severity. PT-2026-40155 (CVSS 3.1 score 7.8) is a heap-based buffer overflow vulnerability that allows data to be written outside the allocated memory buffer. Successful exploitation of this vulnerability could allow an attacker to crash the system or execute malicious code. The second vulnerability, PT-2026-40180, received a CVSS 3.1 score of 5.5.

To exploit these vulnerabilities, an attacker would first need to execute code on a target device. This could be achieved by tricking a user into opening a malicious phishing email or by otherwise compromising a low-privileged account. Exploiting the flaws would then allow the attacker to escalate their privileges to the highest level (SYSTEM) and execute arbitrary code. At that point, the attacker would have full control over the device, enabling them to install malware, alter OS settings, steal sensitive data, and disable security controls.

1 Security vulnerabilities have been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.

"DWM is a core Windows component that is responsible for rendering the graphical interface. The vulnerabilities in its module allowed attackers to escalate privileges, even if they initially had limited access. The main risk is the complete compromise of the device and the theft of sensitive data. If attackers targeted a work laptop connected to the corporate network, they could use it as a foothold to infiltrate the organization and move laterally across its internal systems."

Sergey Tarasov
Sergey TarasovHead of Vulnerability Analysis at the Positive Technologies Expert Security Center

To identify attacks that could leverage similar vulnerabilities, organizations should deploy a vulnerability management platform such as MaxPatrol VM. MaxPatrol SIEM, in turn, detects pre-exploitation activity inside your infrastructure. MaxPatrol EPP uses an antivirus engine emulator to proactively detect malware attempting to exploit these vulnerabilities. MaxPatrol EDR identifies threats on endpoints running more than 25 operating systems, including major versions of the world's top ten most common operating systems, such as Windows.

Positive Technologies researchers frequently identify security flaws in Microsoft solutions and assist in fixing them. This collaboration dates back to 2012, resulting in the joint elimination of 13 vulnerabilities to date.

For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.