Skip to main content

Microsoft EUVDEUVD-2026-22549

| CVE-2026-32160 HIGH
Race Condition (CWE-362)
2026-04-14 microsoft GHSA-x9rv-gxr3-cf36
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:20 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22549
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.8

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Push Notifications service affects Windows 10 (1809-22H2), Windows 11 (22H3-26H1), and Windows Server 2019-2025 via race condition in shared resource synchronization. Low-privileged authenticated users can exploit timing vulnerabilities in notification handling to elevate to SYSTEM-level privileges with high confidentiality, integrity, and availability impact (scope change to other security contexts). CVSS 7.8 (high complexity, local vector). Vendor-released

Technical ContextAI

This vulnerability exploits a classic race condition (CWE-362) in Windows Push Notifications Platform User Service (WpnUserService), a component responsible for managing notification delivery and display across Windows desktop and server environments. Race conditions occur when multiple threads or processes access shared resources without proper synchronization primitives (mutexes, semaphores, critical sections). The Windows notification subsystem handles inter-process communication between applications requesting notifications and system-level services rendering them, creating windows of opportunity where Time-Of-Check-Time-Of-Use (TOCTOU) attacks can occur. An attacker with low-privilege local access can manipulate the timing of concurrent notification requests to corrupt shared memory structures, bypass security checks, or hijack privileged operations performed by the SYSTEM-context notification service. The scope change (S:C) in CVSS indicates the vulnerability allows escaping the security boundary of the WpnUserService process to impact other Windows subsystems. The affected CPE strings confirm impact across the entire modern Windows ecosystem from legacy 1809 builds through current 26H1 preview releases, including Server Core installations lacking GUI components but still running notification infrastructure for administrative alerts.

RemediationAI

Apply vendor-released security updates immediately via Windows Update or WSUS infrastructure. Patched versions: Windows 10 1809 build 10.0.17763.8644 or later, Windows 10 21H2 build 10.0.19044.7184 or later, Windows 10 22H2 build 10.0.19045.7184 or later, Windows 11 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 24H2 build 10.0.26100.32690 or later, Windows 11 25H2 build 10.0.26200.8246 or later, Windows 11 26H1 build 10.0.28000.1836 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition build 10.0.25398.2274 or later, Windows Server 2025 build 10.0.26100.32690 or later. Install patches from Microsoft's March 2026 Patch Tuesday release cycle. No workarounds identified; mitigation relies on kernel-level synchronization fixes. Organizations unable to patch immediately should enforce least-privilege principles, restrict local logon rights to trusted users only, enable Windows

Share

EUVD-2026-22549 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy