Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Concurrent execution using shared resource with improper synchronization ('race condition') in UI Automation Manager (uiamanager.dll) allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows UI Automation Manager (uiamanager.dll) enables authenticated low-privileged users to gain higher privileges by exploiting a race condition in concurrent resource access. The flaw was reported by Microsoft's own security team (secure@microsoft.com) and has no public exploit identified at time of analysis, though the CVSS 7.0 score reflects high impact on confidentiality, integrity, and availability once successfully triggered.
Technical ContextAI
The vulnerability resides in uiamanager.dll, the Windows UI Automation framework component that provides programmatic access to UI elements for assistive technologies and automation tooling. The root cause is CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), commonly known as a race condition or TOCTOU-class flaw - multiple threads access a shared resource without adequate locking, creating a window where state can be manipulated between check and use. UI Automation runs with elevated trust to bridge user-mode applications and accessibility services, making any synchronization gap in its manager component a viable path to privilege escalation. The vendor-applied 'Information Disclosure' tag alongside 'Race Condition' suggests the race may also leak data across security boundaries during the exploitation window.
RemediationAI
Patch availability is indicated by the MSRC advisory linked at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45597; consult that page for the exact KB/cumulative update applicable to each Windows version and deploy via Windows Update, WSUS, or your standard patch management pipeline. No specific fix version is enumerated in the supplied data, so verify the patched build numbers against MSRC before deployment. As compensating controls until patching is complete, restrict interactive and remote logon rights on sensitive hosts so untrusted low-privileged accounts cannot reach the local attack surface, monitor for unexpected processes interacting with UI Automation APIs (UIAutomationCore/uiamanager) from non-accessibility contexts, and consider application allowlisting (WDAC/AppLocker) to block unsigned binaries from being introduced by low-privileged users - these reduce the pool of attackers who could attempt the race but do not eliminate the flaw and will not stop a legitimate signed binary abusing the API.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35555
GHSA-h494-x7p4-qcw3