Skip to main content

Microsoft CVE-2026-32163

| EUVDEUVD-2026-22553 HIGH
Race Condition (CWE-362)
2026-04-14 microsoft
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:34 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22553
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 7.8

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.

AnalysisAI

Privilege escalation in Windows User Interface Core across Windows 10 (1809-22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows authenticated local attackers to gain elevated privileges via race condition exploitation. Vendor-released patches available for all affected versions. No public exploit identified at time of analysis. CVSS 7.8 (high) with local attack vector and high complexity (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C) indicates significant real-world risk in multi-user environments where low-privilege users can access affected systems.

Technical ContextAI

This vulnerability (CWE-362) affects the Windows User Interface Core component responsible for rendering and managing UI elements across the Windows operating system. Race conditions occur when multiple threads or processes access shared resources concurrently without proper synchronization mechanisms, creating timing-dependent windows where resource states can be manipulated. In Windows UI Core, these shared resources likely involve kernel objects, handles, or memory structures used during window management or user interaction processing. The scope change (S:C in CVSS vector) indicates the vulnerability can affect resources beyond the vulnerable component's security context, suggesting potential kernel-mode privilege boundary violations. Affected products span all modern Windows client and server platforms from Windows 10 version 1809 (released 2018) through Windows 11 version 26H1 and Windows Server 2025, indicating the vulnerable code exists in core UI subsystem components shared across these platforms.

RemediationAI

Apply Microsoft security updates immediately via Windows Update or WSUS to upgrade to patched versions: Windows 10 1809 to build 10.0.17763.8644 or later, Windows 10 21H2/22H2 to builds 10.0.19044.7184/10.0.19045.7184 or later, Windows 11 22H3/23H2 to build 10.0.22631.6936 or later, Windows 11 24H2 to build 10.0.26100.32690 or later, Windows 11 25H2 to build 10.0.26200.8246 or later, Windows 11 26H1 to build 10.0.28000.1836 or later, Windows Server 2019 to build 10.0.17763.8644 or later, Windows Server 2022 to build 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition to build 10.0.25398.2274 or later, Windows Server 2025 to build 10.0.26100.32690 or later. Consult Microsoft Security Update Guide for complete deployment guidance and known issues: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32163. No workarounds documented; patching is the only effective remediation.

Share

CVE-2026-32163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy