Skip to main content

Microsoft CVE-2026-32068

| EUVDEUVD-2026-22489 HIGH
Race Condition (CWE-362)
2026-04-14 microsoft GHSA-38cc-gg86-24ch
7.0
CVSS 3.1 · NVD
Temporal: 6.1
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.1 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:31 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22489
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 7.0

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows SSDP Service affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 via a race condition vulnerability. Authenticated local users with low privileges can exploit improper synchronization in shared resource access to gain SYSTEM-level privileges, achieving full system compromise. Vendor-released patches are available across all affected versions. No public exploit identified at time of analysis, though the local attack vector and high impact warrant priority patching on multi-user or sensitive systems.

Technical ContextAI

The Simple Service Discovery Protocol (SSDP) is a core Windows networking component used for UPnP device discovery and communication. This vulnerability (CWE-362) stems from a time-of-check-to-time-of-use (TOCTOU) race condition where the SSDP Service improperly synchronizes access to shared resources during concurrent operations. The flaw allows a local attacker with low privileges to manipulate the timing of resource access, creating a window where they can inject malicious operations between validation checks and resource use. The affected service typically runs with elevated SYSTEM privileges, making successful exploitation a direct path to complete system control. The vulnerability spans an exceptionally broad Windows footprint including legacy systems (Server 2012, Windows 10 1607) through current releases (Windows 11 26H1, Server 2025), indicating a longstanding architectural issue in the SSDP implementation. The AC:H (high complexity) rating suggests successful exploitation requires precise timing and potentially multiple attempts, though once weaponized, such techniques are typically reliable.

RemediationAI

Apply Microsoft's April 2026 security updates immediately to all affected Windows systems. Vendor-released patches resolve the race condition across all supported versions with specific fixed builds: Windows 10 1607/Server 2016 to 10.0.14393.9060+, Windows 10 1809/Server 2019 to 10.0.17763.8644+, Windows 10 21H2 to 10.0.19044.7184+, Windows 10 22H2 to 10.0.19045.7184+, Windows 11 22H3/23H2 to 10.0.22631.6936+, Windows 11 24H2/Server 2025 to 10.0.26100.32690+, Windows 11 25H2 to 10.0.26200.8246+, Windows 11 26H1 to 10.0.28000.1836+, Server 2012 to 6.2.9200.26026+, Server 2012 R2 to 6.3.9600.23132+, Server 2022 to 10.0.20348.5020+, and Server 2022 23H2 to 10.0.25398.2274+. No effective workarounds exist for race condition vulnerabilities; patching is the only reliable mitigation. Prioritize systems with multiple interactive users or those accessible to untrusted local accounts. Download updates through Windows Update, WSUS, or Microsoft Update Catalog referencing CVE-2026-32068. Full advisory and deployment guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32068.

Share

CVE-2026-32068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy