Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Windows Server Update Service allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Server Update Service (WSUS) on Windows 11 version 26H1 allows low-privileged authenticated users to gain SYSTEM-level access via use-after-free memory corruption. Exploitation requires local access and high attack complexity (CVSS AC:H), indicating timing-dependent or race condition triggers. Microsoft has released patch version 10.0.28000.1836 to address this vulnerability. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
This vulnerability stems from a use-after-free (CWE-416) condition in the Windows Server Update Service component. Use-after-free vulnerabilities occur when code attempts to access memory after it has been freed, potentially allowing an attacker to manipulate memory allocation to execute arbitrary code or escalate privileges. The affected product per CPE data is Windows 11 version 26H1 (microsoft:windows_11_version_26h1), specifically builds prior to 10.0.28000.1836. WSUS is a critical Windows component responsible for managing and distributing operating system updates across enterprise networks. The high attack complexity (AC:H) in the CVSS vector suggests the exploit requires precise timing or winning a race condition, making reliable exploitation more difficult than standard memory corruption issues. The local attack vector (AV:L) restricts exploitation to users with existing system access.
RemediationAI
Apply Microsoft's security update to upgrade Windows 11 version 26H1 to build 10.0.28000.1836 or later, which addresses the use-after-free vulnerability in WSUS. The patch is available through standard Windows Update channels and Microsoft Update Catalog. Organizations should prioritize patching systems where multiple users have local access or where account compromise risk is elevated. Download the update directly from Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32224. No workarounds are documented in available advisories; patching is the definitive remediation. Verify patch deployment by checking system build number (winver.exe) confirms version 10.0.28000.1836 or higher. In environments where immediate patching is not feasible, implement compensating controls including enhanced monitoring of privilege escalation attempts, restricted local logon permissions, and application control policies to limit execution of unsigned binaries.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22612
GHSA-3hp2-fjxj-6wj4