Skip to main content

Microsoft EUVDEUVD-2026-22556

| CVE-2026-32164 HIGH
Race Condition (CWE-362)
2026-04-14 microsoft
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:34 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22556
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 7.8

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2016-2025 allows low-privileged authenticated users to gain elevated system access via a race condition vulnerability. Attack complexity is high (AC:H), requiring precise timing exploitation of shared resource synchronization flaws. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the local attack vector and authenticated requirement

Technical ContextAI

This vulnerability exploits CWE-362 (Race Condition) in the Windows User Interface Core component, a fundamental subsystem managing graphical interface elements and user interaction primitives across the Windows operating system. Race conditions occur when multiple threads or processes access shared resources without proper synchronization mechanisms, creating windows of opportunity where intermediate states can be manipulated. In Windows UI Core, this likely involves time-of-check-time-of-use (TOCTOU) flaws where security decisions are made based on resource states that change between validation and usage. The widespread impact across CPE strings spanning Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server editions (2016, 2019, 2022, 2025) including Server Core installations indicates a deeply embedded architectural issue in shared UI rendering or input handling code paths. The scope change (S:C) in the CVSS vector suggests the vulnerability can affect resources beyond the vulnerable component's security context, potentially breaking kernel/usermode isolation boundaries.

RemediationAI

Apply vendor-released security updates immediately through Windows Update or WSUS. Patched versions include Windows 10 1607 build 10.0.14393.9060 or later, Windows 10 1809 build 10.0.17763.8644 or later, Windows 10 21H2/22H2 builds 10.0.19044.7184/10.0.19045.7184 or later, Windows 11 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 24H2/25H2/26H1 builds 10.0.26100.32690, 10.0.26200.8246, and 10.0.28000.1836 respectively, Windows Server 2016 build 10.0.14393.9060 or later, Server 2019 build 10.0.17763.8644 or later, Server 2022 build 10.0.20348.5020 or later (23H2 Edition 10.0.25398.2274 or later), and Server 2025 build 10.0.26100.32690 or later. Prioritize patching multi-user systems, terminal servers, and systems accessible to lower-privileged accounts. No effective workarounds exist for race condition vulnerabilities in core OS components. Download patches from official Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32164 or deploy via enterprise patch management infrastructure.

Share

EUVD-2026-22556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy