Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally.
AnalysisAI
Use-after-free in Microsoft Windows Speech component enables local privilege escalation to SYSTEM on Windows 10 (versions 1809, 21H2, 22H2) and Windows 11 (versions 22H3 through 26H1). Authenticated local attackers with low privileges can exploit memory corruption to gain full system control with low attack complexity and no user interaction required. CVSS 7.8 (High). Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the straigh
Technical ContextAI
This vulnerability stems from a use-after-free condition (CWE-416) in the Windows Speech API subsystem, a component that provides text-to-speech and speech recognition capabilities across Windows platforms. Use-after-free vulnerabilities occur when code continues to use a memory pointer after the referenced memory has been deallocated, leading to memory corruption that attackers can manipulate to redirect execution flow. The Windows Speech component runs with elevated system privileges to access audio hardware and system resources, making it an attractive target for privilege escalation. The affected CPE strings identify this as impacting the Speech API across eight distinct Windows versions spanning Windows 10 build 17763 (version 1809 from 2018) through Windows 11 build 28000 (version 26H1, a future release), indicating a long-standing architectural issue in the shared Speech subsystem codebase. The local attack vector with low privileges required (CVSS PR:L) suggests exploitation occurs through standard user API calls to Speech services, rather than requiring administrative session access.
RemediationAI
Vendor-released patches are available for all affected Windows versions. Update Windows 10 Version 1809 to build 10.0.17763.8644 or later, Windows 10 Version 21H2 to build 10.0.19044.7184 or later, Windows 10 Version 22H2 to build 10.0.19045.7184 or later, Windows 11 Version 22H3 to build 10.0.22631.6936 or later, Windows 11 Version 23H2 to build 10.0.22631.6936 or later, Windows 11 Version 24H2 to build 10.0.26100.32690 or later, Windows 11 Version 25H2 to build 10.0.26200.8246 or later, and Windows 11 Version 26H1 to build 10.0.28000.1836 or later. Apply patches through Windows Update, WSUS, or Microsoft Update Catalog. Organizations should prioritize systems with multiple local users, shared workstations, or environments where users operate with standard (non-administrative) credentials that could leverage this for escalation. As a temporary risk mitigation for systems where immediate patching is not feasible, restrict local logon access to trusted users only and monitor for suspicious Speech API activity through Windows Event Logs (Event ID 4688 for process creation involving speech-related executables). Full remediation guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32153.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22538