Microsoft has released an emergency patch for a critical Windows DWM zero-day that attackers are already exploiting. The company disclosed the flaw on February 10, 2026, as part of its monthly security updates. This vulnerability, CVE-2026-21519, lets attackers gain full SYSTEM-level control over compromised machines.
The flaw lives in the Desktop Window Manager (DWM)—the Windows component that powers visual effects like transparent windows and live taskbar thumbnails. It is a “Type Confusion” bug (CWE-843). In this kind of attack, the program treats one data type as another, causing unexpected behavior. Here, it allows a local attacker with basic user access to run code with the highest privileges.
Although the attacker needs local access—either through login or prior remote code execution—the risk is severe. A standard user account can trigger the exploit. Microsoft confirms real-world attacks, marking it as a true zero-day. The Microsoft Threat Intelligence Center (MSTIC) discovered the flaw, suggesting threat actors used it in targeted campaigns before the patch.
This Windows DWM zero-day affects many systems. It spans Windows 11 (all recent versions), Windows 10 (v21H2 and v22H2), and Windows Server editions from 2016 to 2025. Because attackers are actively using it, organizations must treat the updates as urgent.
Administrators should act now. First, install the correct KB update for your OS. For example, Windows 11 26H1 users need KB5077179. Windows 10 systems require KB5075912. After installing, reboot and confirm the update applied successfully.
Do not stop at patching. Since exploitation has already occurred, security teams must check system logs. Look for suspicious activity involving dwm.exe, especially unusual process creation. These signs could reveal past breaches, even after patching.
The vulnerability has a CVSS score of 7.8 (High Severity). While it does not enable remote attacks by itself, it dramatically boosts an attacker’s power once inside a network. Attackers can use it to take full control, deploy ransomware, or move laterally across systems.
In short, this Windows DWM zero-day poses an immediate and serious threat. Patch immediately, verify the fix, and investigate for signs of compromise. Delaying action leaves your systems open to complete takeover.
READ: Top Android Security Threats of 2026 and How to Stay Safe
