Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack.
AnalysisAI
Windows Biometric Service contains a race condition in concurrent resource access that allows unauthorized attackers to bypass biometric authentication controls via physical attack, affecting Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2019, 2022, and 2025. The vulnerability requires physical access to the device and carries a moderate CVSS score of 6.1 (physical attack vector); Microsoft has released patches for all affected versions.
Technical ContextAI
Windows Biometric Service implements fingerprint and facial recognition authentication through shared kernel resources that manage concurrent access to biometric data and validation state. The vulnerability stems from improper synchronization mechanisms (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization) in the race condition handling between multiple authentication threads or processes. An attacker with physical access to a system can exploit a timing window in the synchronization logic to manipulate or bypass the biometric verification workflow before proper validation completes, allowing unauthorized access to the device or elevation of privileges. The affected products span Windows 10 build 17763 through 26100, Windows 11 build 22631 through 26200, and Windows Server 2019, 2022, and 2025 across their respective build versions.
RemediationAI
Apply the vendor-released patch via Windows Update or Microsoft Update. For Windows 10 version 1809, update to build 17763.8644 or later; Windows 10 version 21H2, update to build 19044.7184 or later; Windows 10 version 22H2, update to build 19045.7184 or later; Windows 11 version 22H3, update to build 22631.6936 or later; Windows 11 version 23H2, update to build 22631.6936 or later; Windows 11 version 24H2, update to build 26100.32690 or later; Windows 11 version 25H2, update to build 26200.8246 or later; Windows 11 version 26H1, update to build 28000.1836 or later; Windows Server 2019, update to build 17763.8644 or later; Windows Server 2022, update to build 20348.5020 or later; Windows Server 2025, update to build 26100.32690 or later. Interim mitigation pending patching includes restricting physical access to devices with biometric authentication enabled and disabling Windows Hello fingerprint/facial recognition if not operationally required. Consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32088 for patch availability timelines and additional mitigations.
Same weakness CWE-362 – Race Condition
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22524
GHSA-jrfq-3xg2-qxxf