Skip to main content

Windows UI Automation CVE-2026-45597

| EUVDEUVD-2026-35555 HIGH
Race Condition (CWE-362)
2026-06-09 secure@microsoft.com GHSA-h494-x7p4-qcw3
7.0
CVSS 3.1 · NVD
Temporal: 6.1
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.1 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 18:13 vuln.today

DescriptionNVD

Concurrent execution using shared resource with improper synchronization ('race condition') in UI Automation Manager (uiamanager.dll) allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Windows UI Automation Manager (uiamanager.dll) enables authenticated low-privileged users to gain higher privileges by exploiting a race condition in concurrent resource access. The flaw was reported by Microsoft's own security team (secure@microsoft.com) and has no public exploit identified at time of analysis, though the CVSS 7.0 score reflects high impact on confidentiality, integrity, and availability once successfully triggered.

Technical ContextAI

The vulnerability resides in uiamanager.dll, the Windows UI Automation framework component that provides programmatic access to UI elements for assistive technologies and automation tooling. The root cause is CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), commonly known as a race condition or TOCTOU-class flaw - multiple threads access a shared resource without adequate locking, creating a window where state can be manipulated between check and use. UI Automation runs with elevated trust to bridge user-mode applications and accessibility services, making any synchronization gap in its manager component a viable path to privilege escalation. The vendor-applied 'Information Disclosure' tag alongside 'Race Condition' suggests the race may also leak data across security boundaries during the exploitation window.

RemediationAI

Patch availability is indicated by the MSRC advisory linked at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45597; consult that page for the exact KB/cumulative update applicable to each Windows version and deploy via Windows Update, WSUS, or your standard patch management pipeline. No specific fix version is enumerated in the supplied data, so verify the patched build numbers against MSRC before deployment. As compensating controls until patching is complete, restrict interactive and remote logon rights on sensitive hosts so untrusted low-privileged accounts cannot reach the local attack surface, monitor for unexpected processes interacting with UI Automation APIs (UIAutomationCore/uiamanager) from non-accessibility contexts, and consider application allowlisting (WDAC/AppLocker) to block unsigned binaries from being introduced by low-privileged users - these reduce the pool of attackers who could attempt the race but do not eliminate the flaw and will not stop a legitimate signed binary abusing the API.

Share

CVE-2026-45597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy