Severity by source
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.
AnalysisAI
Race condition in Windows User Interface Core (MSRC patch CVE-2026-27911) enables low-privileged authenticated attackers to elevate privileges to SYSTEM level on Windows 10, Windows 11, and Windows Server 2016-2025 systems. The flaw stems from improper synchronization when multiple threads concurrently access shared resources in the UI subsystem, creating a time-of-check-time-of-use (TOCTOU) window exploitable for privilege escalation. Patch available per vendor advisory. No public exploit ident
Technical ContextAI
The vulnerability resides in the Windows User Interface Core component, a fundamental subsystem managing window creation, message handling, and UI resource allocation. CWE-362 (race condition) indicates the flaw occurs when multiple execution threads access shared kernel objects or memory structures without proper locking mechanisms, creating a TOCTOU vulnerability. During UI operations requiring state transitions, an attacker with low-privilege local access can manipulate timing to win the race between permission checks and resource allocation, bypassing security boundaries. Affected CPE strings span Windows 10 (versions 1607/1809/21H2/22H2), Windows 11 (22H3/23H2/24H2/25H2/26H1), and Windows Server 2016/2019/2022/2025 including Server Core installations, representing kernel-level UI infrastructure shared across all modern Windows versions since build 10.0.14393.0.
RemediationAI
Apply the vendor-released patches immediately from Microsoft Security Response Center. Upgrade Windows 10 Version 1607 to build 10.0.14393.9060 or later, Version 1809 to 10.0.17763.8644+, Version 21H2 to 10.0.19044.7184+, and Version 22H2 to 10.0.19045.7184+. For Windows 11, upgrade 22H3/23H2 to build 10.0.22631.6936+, 24H2 to 10.0.26100.32690+, 25H2 to 10.0.26200.8246+, and 26H1 to 10.0.28000.1836+. Server administrators must patch Server 2016 to 10.0.14393.9060+, Server 2019 to 10.0.17763.8644+, Server 2022 to 10.0.20348.5020+, Server 2022 23H2 Edition to 10.0.25398.2274+, and Server 2025 to 10.0.26100.32690+. Deploy patches via Windows Update, WSUS, or SCCM. No effective workarounds exist due to the kernel-level nature of the UI subsystem; patching is the only reliable mitigation. Detailed update guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27911.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22451