Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Use after free in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Speech Brokered API allows authenticated users to gain SYSTEM-level access via use-after-free memory corruption. All supported Windows 10, Windows 11, and Windows Server versions (2016-2025) are affected. Microsoft released patches in their April 2026 security update cycle. EPSS score of 0.04% (12th percentile) indicates low exploitation likelihood in the wild, and no active exploitation or public exploit code has been identified at time of analysis.
Technical ContextAI
The Windows Speech Brokered API provides a controlled interface for sandboxed applications to access speech recognition services. The vulnerability stems from a use-after-free condition (CWE-416), where the API incorrectly manages memory lifecycle-attempting to access a heap object after it has been freed. This class of memory corruption occurs when references to deallocated memory are not properly invalidated, allowing an attacker to manipulate freed memory through controlled allocations. When successfully exploited, the attacker can redirect program execution flow by overwriting function pointers or other critical structures in the freed region. The vulnerability affects the core Windows speech subsystem present across all Windows NT 10.0 kernel versions from Windows 10 1607 (build 14393) through the latest Windows 11 26H1 and Windows Server 2025 releases, indicating the flaw exists in shared speech handling components maintained across multiple Windows generations.
RemediationAI
Apply Microsoft's April 2026 security updates immediately to patch the vulnerability. Fixed versions include: Windows 10 1607 build 10.0.14393.9060 or later, Windows 10 1809 build 10.0.17763.8644 or later, Windows 10 21H2 build 10.0.19044.7184 or later, Windows 10 22H2 build 10.0.19045.7184 or later, Windows 11 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 24H2 and Server 2025 build 10.0.26100.32690 or later, Windows 11 25H2 build 10.0.26200.8246 or later, Windows 11 26H1 build 10.0.28000.1836 or later, Windows Server 2016 build 10.0.14393.9060 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, and Server 2022 23H2 build 10.0.25398.2274 or later. Organizations can deploy patches through Windows Update, WSUS, Configuration Manager, or Microsoft Update Catalog. No effective workaround exists that eliminates the vulnerability without patching, as disabling Windows Speech Recognition services would break accessibility features and voice-enabled applications critical to many users. Compensating controls include restricting local administrator access and limiting membership in privileged groups to reduce the pool of authenticated users who could exploit this vulnerability, though these measures do not prevent exploitation by standard authenticated users. Monitor for unusual process creation from speech service executables or unexpected privilege token modifications associated with speech API interactions, though these detection strategies may generate false positives and should not replace timely patching. System reboots are required to complete patch installation for this kernel-level component.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22526
GHSA-2h57-5ppx-7x34