Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Speech Brokered API allows authenticated users with low privileges to gain SYSTEM-level access via race condition exploitation. Affects all supported Windows 10, Windows 11, and Windows Server versions (2016-2025). Microsoft released patches in May 2025 across 17 product variants. Despite CVSS 7.8 severity, EPSS score is low (0.04%, 12th percentile) indicating minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-362 (race condition) in the Windows Speech Brokered API, a Windows component that mediates speech recognition and text-to-speech services between applications and the underlying speech engine. Race conditions occur when multiple threads access shared resources without proper synchronization primitives (mutexes, semaphores, critical sections). In privilege-separated architectures like Windows, brokered APIs run with elevated privileges to perform operations on behalf of lower-privileged clients. Improper synchronization during request handling can create time-of-check-to-time-of-use (TOCTOU) windows where an attacker manipulates state between validation and execution phases. The affected CPE strings span Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server (2016, 2019, 2022, 2025) in both full and Server Core installations, indicating the Speech API is a core Windows component present across all modern releases.
RemediationAI
Apply Microsoft May 2025 cumulative updates to remediate this vulnerability. Specific patched versions: Windows 10 1607 to 14393.9060+, Windows 10 1809/Server 2019 to 17763.8644+, Windows 10 21H2 to 19044.7184+, Windows 10 22H2 to 19045.7184+, Windows 11 22H3/23H2 to 22631.6936+, Windows 11 24H2/Server 2025 to 26100.32690+, Windows 11 25H2 to 26200.8246+, Windows 11 26H1 to 28000.1836+, Windows Server 2016 to 14393.9060+, Windows Server 2022 to 20348.5020+ or 25398.2274+ (23H2), as documented in MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32090. If immediate patching is infeasible, implement compensating controls: restrict local logon rights to essential accounts only via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), reducing attack surface by minimizing potential exploit actors; enable Microsoft Defender Application Control (WDAC) or AppLocker in enforcement mode to prevent unsigned code execution by standard users, blocking potential race condition exploitation payloads; implement Credential Guard on Windows 10 Enterprise/Server 2016+ and Windows 11 to protect cached credentials even if local privilege escalation succeeds. Note that access restrictions may impact legitimate users requiring local logon, and application control policies require testing to avoid breaking line-of-business applications. No feasible workaround disables Speech API without breaking core Windows functionality.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22529