Skip to main content

Microsoft CVE-2026-32088

| EUVDEUVD-2026-22524 MEDIUM
Race Condition (CWE-362)
2026-04-14 microsoft GHSA-jrfq-3xg2-qxxf
6.1
CVSS 3.1 · NVD
Temporal: 5.3
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CIRCL (temporal)
5.3 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22524
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
MEDIUM 6.1

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack.

AnalysisAI

Windows Biometric Service contains a race condition in concurrent resource access that allows unauthorized attackers to bypass biometric authentication controls via physical attack, affecting Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2019, 2022, and 2025. The vulnerability requires physical access to the device and carries a moderate CVSS score of 6.1 (physical attack vector); Microsoft has released patches for all affected versions.

Technical ContextAI

Windows Biometric Service implements fingerprint and facial recognition authentication through shared kernel resources that manage concurrent access to biometric data and validation state. The vulnerability stems from improper synchronization mechanisms (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization) in the race condition handling between multiple authentication threads or processes. An attacker with physical access to a system can exploit a timing window in the synchronization logic to manipulate or bypass the biometric verification workflow before proper validation completes, allowing unauthorized access to the device or elevation of privileges. The affected products span Windows 10 build 17763 through 26100, Windows 11 build 22631 through 26200, and Windows Server 2019, 2022, and 2025 across their respective build versions.

RemediationAI

Apply the vendor-released patch via Windows Update or Microsoft Update. For Windows 10 version 1809, update to build 17763.8644 or later; Windows 10 version 21H2, update to build 19044.7184 or later; Windows 10 version 22H2, update to build 19045.7184 or later; Windows 11 version 22H3, update to build 22631.6936 or later; Windows 11 version 23H2, update to build 22631.6936 or later; Windows 11 version 24H2, update to build 26100.32690 or later; Windows 11 version 25H2, update to build 26200.8246 or later; Windows 11 version 26H1, update to build 28000.1836 or later; Windows Server 2019, update to build 17763.8644 or later; Windows Server 2022, update to build 20348.5020 or later; Windows Server 2025, update to build 26100.32690 or later. Interim mitigation pending patching includes restricting physical access to devices with biometric authentication enabled and disabling Windows Hello fingerprint/facial recognition if not operationally required. Consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32088 for patch availability timelines and additional mitigations.

Share

CVE-2026-32088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy