An authorized local user can trigger a use‑after‑free bug in Microsoft Windows Management Services, allowing that user to elevate privileges to local administrator level. The flaw is a classic memory‑management race condition (CWE‑362) that results in use‑after‑free (CWE‑416). An attacker can execute arbitrary code with higher privileges, which could lead to system compromise, data exfiltration, or installation of additional malware. The impact is limited to the machine that the attacker has local access to, but the elevated privileges grant full control over the system.

Microsoft Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 22H3, 23H2, 24H2, and 25H2; Windows Server 2019, Server 2022 (including core installations), and Server 2025 versions. The vulnerability applies to both 32‑bit and 64‑bit builds of these releases as reflected in the affected CPEs.

The CVSS score of 7.8 describes the vulnerability as high severity. EPSS indicates a very low exploitation probability (<1%). The vulnerability is not listed in the CISA KEV catalog, so no known field‑in‑the‑wild exploitation is reported yet. Because the flaw requires local authorization and an exploited race condition, the attack vector is local only. An attacker would need the ability to trigger the race condition in the service, which typically requires malicious code running under a user account that has permission to re‑start or interact with the Management Service.