CVE-2026-21234
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.
Analysis
Local privilege escalation in Windows Connected Devices Platform Service exploits a race condition in resource synchronization, allowing authenticated attackers to gain elevated privileges on affected Windows systems including Server 2022, Windows 11 25h2, and Windows 10 21h2. The vulnerability requires local access and user interaction is not needed, making it a practical attack vector for users with standard privileges. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Windows systems running Connected Devices Platform Service and assess user access levels. Within 7 days: Implement network segmentation to restrict local access for non-administrative users and disable Connected Devices Platform Service where operationally feasible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today