Skip to main content

Windows Brokering File System CVE-2026-32091

| EUVDEUVD-2026-22530 HIGH
Race Condition (CWE-362)
2026-04-14 microsoft
8.4
CVSS 3.1 · NVD
Temporal: 7.3
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.3 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 21, 2026 - 15:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:32 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22530
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 8.4

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Windows Brokering File System allows unprivileged attackers with physical or local access to gain SYSTEM-level privileges through a race condition vulnerability. The flaw affects all supported Windows 10, Windows 11, and Windows Server versions from 2016 through 2025. Despite an 8.4 CVSS score indicating high severity, real-world risk is moderate: EPSS score of 0.04% (12th percentile) suggests low exploitation likelihood, SSVC framework confirms no active exploitation, and the local attack vector limits exposure to scenarios where attackers already have local access. Vendor-released patches are available for all affected versions.

Technical ContextAI

The Windows Brokering File System (BFS) is a kernel-mode component that mediates file system access between different privilege contexts and security boundaries in Windows. This vulnerability stems from CWE-362 (Race Condition), where multiple threads or processes can access shared kernel resources without proper synchronization primitives like mutexes or locks. The flaw occurs when time-of-check-time-of-use (TOCTOU) windows allow attackers to manipulate file system objects or security tokens between validation and usage. The CVSS vector AV:L indicates the vulnerability requires local access to the target system, while PR:N means no prior authentication is needed once local access is achieved. The S:U (unchanged scope) suggests the vulnerability operates within the BFS component's privilege boundary but allows escalation to higher privileges within that scope. CPE data confirms impact across Windows 10 (versions 1607 through 22H2), Windows 11 (22H3 through 26H1), and all Windows Server versions from 2016 through 2025, indicating the vulnerable code has persisted across multiple Windows generations.

RemediationAI

Apply Microsoft's security updates immediately through Windows Update or WSUS for all affected systems. Specific patched versions: Windows 10 1607/Server 2016 to build 10.0.14393.9060 or later, Windows 10 1809/Server 2019 to build 10.0.17763.8644 or later, Windows 10 21H2 to build 10.0.19044.7184 or later, Windows 10 22H2 to build 10.0.19045.7184 or later, Windows 11 22H3/23H2 to build 10.0.22631.6936 or later, Windows 11 24H2/Server 2025 to build 10.0.26100.32690 or later, Windows 11 25H2 to build 10.0.26200.8246 or later, Windows 11 26H1 to build 10.0.28000.1836 or later, and Windows Server 2022 23H2 to build 10.0.25398.2274 or later. For environments unable to patch immediately, implement compensating controls: restrict local logon rights through Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally') to trusted administrator accounts only, which eliminates the PR:N condition by requiring authentication; enable Windows Defender Credential Guard on Windows 11 and Server 2022+ to limit token manipulation attacks (requires UEFI, TPM 2.0, and may impact legacy applications using unconstrained Kerberos delegation); implement application allowlisting via AppLocker or Windows Defender Application Control to prevent unauthorized local code execution (introduces operational overhead for software deployment). These mitigations reduce but do not eliminate risk as race conditions can still be triggered by authorized processes. Detailed advisory and patch downloads: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32091.

Share

CVE-2026-32091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy