Skip to main content

Microsoft CVE-2026-27911

| EUVDEUVD-2026-22451 HIGH
Race Condition (CWE-362)
2026-04-14 microsoft
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:29 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22451
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 7.8

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.

AnalysisAI

Race condition in Windows User Interface Core (MSRC patch CVE-2026-27911) enables low-privileged authenticated attackers to elevate privileges to SYSTEM level on Windows 10, Windows 11, and Windows Server 2016-2025 systems. The flaw stems from improper synchronization when multiple threads concurrently access shared resources in the UI subsystem, creating a time-of-check-time-of-use (TOCTOU) window exploitable for privilege escalation. Patch available per vendor advisory. No public exploit ident

Technical ContextAI

The vulnerability resides in the Windows User Interface Core component, a fundamental subsystem managing window creation, message handling, and UI resource allocation. CWE-362 (race condition) indicates the flaw occurs when multiple execution threads access shared kernel objects or memory structures without proper locking mechanisms, creating a TOCTOU vulnerability. During UI operations requiring state transitions, an attacker with low-privilege local access can manipulate timing to win the race between permission checks and resource allocation, bypassing security boundaries. Affected CPE strings span Windows 10 (versions 1607/1809/21H2/22H2), Windows 11 (22H3/23H2/24H2/25H2/26H1), and Windows Server 2016/2019/2022/2025 including Server Core installations, representing kernel-level UI infrastructure shared across all modern Windows versions since build 10.0.14393.0.

RemediationAI

Apply the vendor-released patches immediately from Microsoft Security Response Center. Upgrade Windows 10 Version 1607 to build 10.0.14393.9060 or later, Version 1809 to 10.0.17763.8644+, Version 21H2 to 10.0.19044.7184+, and Version 22H2 to 10.0.19045.7184+. For Windows 11, upgrade 22H3/23H2 to build 10.0.22631.6936+, 24H2 to 10.0.26100.32690+, 25H2 to 10.0.26200.8246+, and 26H1 to 10.0.28000.1836+. Server administrators must patch Server 2016 to 10.0.14393.9060+, Server 2019 to 10.0.17763.8644+, Server 2022 to 10.0.20348.5020+, Server 2022 23H2 Edition to 10.0.25398.2274+, and Server 2025 to 10.0.26100.32690+. Deploy patches via Windows Update, WSUS, or SCCM. No effective workarounds exist due to the kernel-level nature of the UI subsystem; patching is the only reliable mitigation. Detailed update guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27911.

Share

CVE-2026-27911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy