Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Brokering File System allows unprivileged attackers with physical or local access to gain SYSTEM-level privileges through a race condition vulnerability. The flaw affects all supported Windows 10, Windows 11, and Windows Server versions from 2016 through 2025. Despite an 8.4 CVSS score indicating high severity, real-world risk is moderate: EPSS score of 0.04% (12th percentile) suggests low exploitation likelihood, SSVC framework confirms no active exploitation, and the local attack vector limits exposure to scenarios where attackers already have local access. Vendor-released patches are available for all affected versions.
Technical ContextAI
The Windows Brokering File System (BFS) is a kernel-mode component that mediates file system access between different privilege contexts and security boundaries in Windows. This vulnerability stems from CWE-362 (Race Condition), where multiple threads or processes can access shared kernel resources without proper synchronization primitives like mutexes or locks. The flaw occurs when time-of-check-time-of-use (TOCTOU) windows allow attackers to manipulate file system objects or security tokens between validation and usage. The CVSS vector AV:L indicates the vulnerability requires local access to the target system, while PR:N means no prior authentication is needed once local access is achieved. The S:U (unchanged scope) suggests the vulnerability operates within the BFS component's privilege boundary but allows escalation to higher privileges within that scope. CPE data confirms impact across Windows 10 (versions 1607 through 22H2), Windows 11 (22H3 through 26H1), and all Windows Server versions from 2016 through 2025, indicating the vulnerable code has persisted across multiple Windows generations.
RemediationAI
Apply Microsoft's security updates immediately through Windows Update or WSUS for all affected systems. Specific patched versions: Windows 10 1607/Server 2016 to build 10.0.14393.9060 or later, Windows 10 1809/Server 2019 to build 10.0.17763.8644 or later, Windows 10 21H2 to build 10.0.19044.7184 or later, Windows 10 22H2 to build 10.0.19045.7184 or later, Windows 11 22H3/23H2 to build 10.0.22631.6936 or later, Windows 11 24H2/Server 2025 to build 10.0.26100.32690 or later, Windows 11 25H2 to build 10.0.26200.8246 or later, Windows 11 26H1 to build 10.0.28000.1836 or later, and Windows Server 2022 23H2 to build 10.0.25398.2274 or later. For environments unable to patch immediately, implement compensating controls: restrict local logon rights through Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally') to trusted administrator accounts only, which eliminates the PR:N condition by requiring authentication; enable Windows Defender Credential Guard on Windows 11 and Server 2022+ to limit token manipulation attacks (requires UEFI, TPM 2.0, and may impact legacy applications using unconstrained Kerberos delegation); implement application allowlisting via AppLocker or Windows Defender Application Control to prevent unauthorized local code execution (introduces operational overhead for software deployment). These mitigations reduce but do not eliminate risk as race conditions can still be triggered by authorized processes. Detailed advisory and patch downloads: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32091.
Same weakness CWE-362 – Race Condition
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22530