Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Printer Association Object allows an authorized attacker to elevate privileges locally.
Published: 2026-01-13
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

Concurrent execution using shared resources with improper synchronization (a race condition) in the Printer Association Object gives an authorized attacker the ability to elevate privileges locally. This flaw arises from incorrect handling of shared resources and is classified as a race condition. The direct consequence is that the attacker can raise their privileges on the affected Windows installations.

Affected Systems

The flaw affects Microsoft Windows 11 24H2, Windows 11 25H2, Windows Server 2022 23H2 (Server Core), and Windows Server 2025 (Server Core). Both 64‑bit and ARM64 builds are vulnerable as indicated by the enumerated CPEs.

Risk and Exploitability

The CVSS score of 7 indicates moderate severity, while the EPSS score below 1% signals a very low likelihood of widespread exploitation as of current data. The vulnerability is not listed in the Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector is local and requires an authorized attacker to initiate operations that access the Printer Association Object. The potential impact is the compromise of local system integrity due to privilege escalation.

Generated by OpenCVE AI on April 18, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the official Microsoft security update for Windows 11 24H2, 25H2, Windows Server 2022 23H2, and Windows Server 2025 from the Microsoft Update Catalog or through Windows Update.
  • Restart affected systems to ensure the update is fully applied and the Printer Association Object is corrected.
  • If the update is not yet available, limit local account privileges or disable printer association via Group Policy to prevent unauthorized printer configuration until the patch is installed.

Generated by OpenCVE AI on April 18, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Concurrent execution using shared resource with improper synchronization ('race condition') in Printer Association Object allows an authorized attacker to elevate privileges locally.
Title Windows File Explorer Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-362
CPEs cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2022 23h2 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:17.881Z

Reserved: 2025-12-03T05:54:20.372Z

Link: CVE-2026-20808

cve-icon Vulnrichment

Updated: 2026-01-13T19:40:38.104Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:07.197

Modified: 2026-01-14T20:10:29.687

Link: CVE-2026-20808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses