Skip to main content

Windows Speech Brokered API EUVDEUVD-2026-22526

| CVE-2026-32089 HIGH
Use After Free (CWE-416)
2026-04-14 microsoft GHSA-2h57-5ppx-7x34
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 21, 2026 - 15:15 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:18 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22526
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.8

DescriptionCVE.org

Use after free in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Speech Brokered API allows authenticated users to gain SYSTEM-level access via use-after-free memory corruption. All supported Windows 10, Windows 11, and Windows Server versions (2016-2025) are affected. Microsoft released patches in their April 2026 security update cycle. EPSS score of 0.04% (12th percentile) indicates low exploitation likelihood in the wild, and no active exploitation or public exploit code has been identified at time of analysis.

Technical ContextAI

The Windows Speech Brokered API provides a controlled interface for sandboxed applications to access speech recognition services. The vulnerability stems from a use-after-free condition (CWE-416), where the API incorrectly manages memory lifecycle-attempting to access a heap object after it has been freed. This class of memory corruption occurs when references to deallocated memory are not properly invalidated, allowing an attacker to manipulate freed memory through controlled allocations. When successfully exploited, the attacker can redirect program execution flow by overwriting function pointers or other critical structures in the freed region. The vulnerability affects the core Windows speech subsystem present across all Windows NT 10.0 kernel versions from Windows 10 1607 (build 14393) through the latest Windows 11 26H1 and Windows Server 2025 releases, indicating the flaw exists in shared speech handling components maintained across multiple Windows generations.

RemediationAI

Apply Microsoft's April 2026 security updates immediately to patch the vulnerability. Fixed versions include: Windows 10 1607 build 10.0.14393.9060 or later, Windows 10 1809 build 10.0.17763.8644 or later, Windows 10 21H2 build 10.0.19044.7184 or later, Windows 10 22H2 build 10.0.19045.7184 or later, Windows 11 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 24H2 and Server 2025 build 10.0.26100.32690 or later, Windows 11 25H2 build 10.0.26200.8246 or later, Windows 11 26H1 build 10.0.28000.1836 or later, Windows Server 2016 build 10.0.14393.9060 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, and Server 2022 23H2 build 10.0.25398.2274 or later. Organizations can deploy patches through Windows Update, WSUS, Configuration Manager, or Microsoft Update Catalog. No effective workaround exists that eliminates the vulnerability without patching, as disabling Windows Speech Recognition services would break accessibility features and voice-enabled applications critical to many users. Compensating controls include restricting local administrator access and limiting membership in privileged groups to reduce the pool of authenticated users who could exploit this vulnerability, though these measures do not prevent exploitation by standard authenticated users. Monitor for unusual process creation from speech service executables or unexpected privilege token modifications associated with speech API interactions, though these detection strategies may generate false positives and should not replace timely patching. System reboots are required to complete patch installation for this kernel-level component.

Share

EUVD-2026-22526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy