Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows SSDP Service affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 via a race condition vulnerability. Authenticated local users with low privileges can exploit improper synchronization in shared resource access to gain SYSTEM-level privileges, achieving full system compromise. Vendor-released patches are available across all affected versions. No public exploit identified at time of analysis, though the local attack vector and high impact warrant priority patching on multi-user or sensitive systems.
Technical ContextAI
The Simple Service Discovery Protocol (SSDP) is a core Windows networking component used for UPnP device discovery and communication. This vulnerability (CWE-362) stems from a time-of-check-to-time-of-use (TOCTOU) race condition where the SSDP Service improperly synchronizes access to shared resources during concurrent operations. The flaw allows a local attacker with low privileges to manipulate the timing of resource access, creating a window where they can inject malicious operations between validation checks and resource use. The affected service typically runs with elevated SYSTEM privileges, making successful exploitation a direct path to complete system control. The vulnerability spans an exceptionally broad Windows footprint including legacy systems (Server 2012, Windows 10 1607) through current releases (Windows 11 26H1, Server 2025), indicating a longstanding architectural issue in the SSDP implementation. The AC:H (high complexity) rating suggests successful exploitation requires precise timing and potentially multiple attempts, though once weaponized, such techniques are typically reliable.
RemediationAI
Apply Microsoft's April 2026 security updates immediately to all affected Windows systems. Vendor-released patches resolve the race condition across all supported versions with specific fixed builds: Windows 10 1607/Server 2016 to 10.0.14393.9060+, Windows 10 1809/Server 2019 to 10.0.17763.8644+, Windows 10 21H2 to 10.0.19044.7184+, Windows 10 22H2 to 10.0.19045.7184+, Windows 11 22H3/23H2 to 10.0.22631.6936+, Windows 11 24H2/Server 2025 to 10.0.26100.32690+, Windows 11 25H2 to 10.0.26200.8246+, Windows 11 26H1 to 10.0.28000.1836+, Server 2012 to 6.2.9200.26026+, Server 2012 R2 to 6.3.9600.23132+, Server 2022 to 10.0.20348.5020+, and Server 2022 23H2 to 10.0.25398.2274+. No effective workarounds exist for race condition vulnerabilities; patching is the only reliable mitigation. Prioritize systems with multiple interactive users or those accessible to untrusted local accounts. Download updates through Windows Update, WSUS, or Microsoft Update Catalog referencing CVE-2026-32068. Full advisory and deployment guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32068.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22489
GHSA-38cc-gg86-24ch