A time‑of‑check time‑of‑use race condition in Windows Installer can be exploited by an authenticated local user to gain elevated privileges on the affected system. This flaw, identified as CWE‑367, allows the attacker to manipulate the installation process after a permissions check but before the action is performed, resulting in running code with higher privileges than originally granted. The vulnerability does not provide remote access capabilities and requires existing authorized credentials to begin the exploit chain.

Windows operating systems and Server editions from Windows 10 Version 1607 through Windows 11 Version 25H2, as well as Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022 and 2025 (including Server Core installations) are impacted. The full list of affected builds is enumerated in the CNA vendor/product list.

With a CVSS v3.1 score of 7.8 the flaw represents a high‑severity local privilege escalation. The EPSS score of <1% indicates that the likelihood of exploitation at any given time is very low, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is local, requiring the attacker to have sufficient privileges to initiate the installer. Once the race condition is triggered, the attacker can execute arbitrary code with elevated system rights.