Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Local code execution as a standard user is required (AV:L, PR:L), winning a TOCTOU race is non-deterministic (AC:H), no user interaction, and SYSTEM-level escalation yields full C/I/A impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Program Compatibility Assistant (PCA) Service affects supported Windows 10, Windows 11, and Windows Server 2022/2025 builds through a TOCTOU race condition (CWE-367). An authenticated local attacker who wins the race window can elevate from a standard user context to higher privileges with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but Microsoft has released patches across all affected branches.
Technical ContextAI
The Program Compatibility Assistant (PCA) Service is a Windows component (pcasvc.dll) that monitors program execution to detect and apply compatibility shims for legacy applications, and it runs with elevated privileges. CWE-367 (Time-of-check Time-of-use) describes a class of race conditions where the state of a resource (such as a file path, handle, or registry key) is validated and then operated on as two non-atomic steps, allowing a concurrent attacker to swap the underlying resource between the check and the use. The affected CPEs cover Windows 10 21H2/22H2, Windows 11 23H2/24H2 (and the 25H2/26H1 builds in the EUVD list), and Windows Server 2022/2025 across x86, x64, and arm64, indicating the vulnerable code path is in a shared servicing component rather than an edition-specific feature.
RemediationAI
Apply the cumulative Windows security update for your branch that brings the OS to at least the fixed build listed in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45487): Windows 10 21H2/22H2 to 19044.7417/19045.7417, Windows 11 23H2 to 22631.7219, Windows 11 24H2 and 25H2 to 26100.8655/26200.8655, Windows 11 26H1 to 28000.2269, Windows Server 2022 to 20348.5256, and Windows Server 2025 (including Server Core) to 26100.32995 - vendor-released patch confirmed in those builds. As a temporary compensating control where patching is blocked, the Program Compatibility Assistant Service (PcaSvc) can be disabled or set to Manual via services.msc or 'sc config PcaSvc start= disabled', with the side effect that Windows will no longer detect and apply compatibility shims to legacy applications and the PCA UI prompts will not appear, which may break older line-of-business software. Additionally restrict interactive logon on multi-user systems and tighten application allow-listing (WDAC/AppLocker) so that the unprivileged code needed to enter the race window cannot easily be executed.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35673
GHSA-fj7f-jv57-m7jh