Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.
AnalysisAI
Windows Shell privilege escalation affects Windows 10 (1809+), Windows 11 (all versions through 26H1), and Windows Server 2019-2025 via a race condition vulnerability (CWE-362). Local authenticated attackers with low-privilege access can exploit concurrent execution flaws to gain SYSTEM-level privileges with low attack complexity and no user interaction required (CVSS 7.8). Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though t
Technical ContextAI
This vulnerability targets the Windows Shell component, a fundamental subsystem responsible for user interface elements, file management, and process execution coordination across the Windows operating system. The root cause is CWE-362 (Race Condition), specifically involving concurrent execution using shared resources with improper synchronization. Race conditions occur when multiple threads or processes access shared memory or resources without proper locking mechanisms, creating a time-of-check-time-of-use (TOCTOU) window. In Windows Shell's case, the vulnerability likely involves improper synchronization when handling file operations, registry access, or inter-process communication, allowing an attacker to manipulate state transitions during the critical window between privilege checks and resource access. The CVSS vector (AV:L/AC:L/PR:L/UI:N) indicates this is a local exploit requiring low-privilege authenticated access with low attack complexity, meaning successful exploitation does not depend on race-winning probabilities that would elevate complexity ratings. The unchanged scope (S:U) confirms privilege escalation occurs within the Windows Shell's security context without breaking out to other components, though the complete CIA impact (C:H/I:H/A:H) demonstrates full system compromise potential once exploited.
RemediationAI
Apply the vendor-released security updates immediately through Windows Update or WSUS infrastructure. For Windows 10 version 1809, update to build 10.0.17763.8644 or later. For Windows 10 versions 21H2 and 22H2, update to builds 10.0.19044.7184 and 10.0.19045.7184 respectively. Windows 11 version 22H3 and 23H2 require build 10.0.22631.6936 or higher, while 24H2 needs build 10.0.26100.32690 or later, 25H2 requires build 10.0.26200.8246 or higher, and 26H1 requires build 10.0.28000.1836 or later. Windows Server 2019 (including Server Core) must update to build 10.0.17763.8644 or higher. Windows Server 2022 requires build 10.0.20348.5020 or later, Server 2022 23H2 Server Core needs build 10.0.25398.2274 or higher, and Windows Server 2025 (both standard and Server Core) requires build 10.0.26100.32690 or later. Download patches from Microsoft Update Catalog or apply via Windows Update services. No effective workarounds exist for race condition vulnerabilities in core OS components; patching is the only reliable mitigation. Consult the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27918 for deployment guidance and known issues.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22462
GHSA-r922-wwg3-2m7q