Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local privilege escalation
Action: Apply patch
AI Analysis

Impact

A race condition in Windows Management Services allows an authorized local user to gain elevated privileges. The flaw arises from concurrent execution of shared resources without proper synchronization, resulting in unintended access to privileged functionality. An attacker who can invoke the service dynamically can leverage this, potentially escalating from a standard user account to a higher privileged role such as administrator or system.

Affected Systems

The vulnerability exists in Microsoft Windows 10 (versions 1809, 21H2, and 22H2), Windows 11 (versions 22H3, 23H2, 24H2, and 25H2), Windows Server 2019 (including Server Core installations), Windows Server 2022 (including Server Core installations 23H2), and Windows Server 2025 (including Server Core installations). All affected systems run the standard 64‑bit or 32‑bit builds listed by Microsoft.

Risk and Exploitability

The flaw carries a CVSS score of 7.8, indicating high severity, but its EPSS score is below 1%, suggesting the likelihood of exploitation is currently low. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is local; an attacker must have the ability to influence the Windows Management Services process to trigger the race condition, typically requiring administrative or privileged local access. Once triggered, the attacker can elevate their privileges on the affected system.

Generated by OpenCVE AI on April 16, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that Fixes CVE-2026-20918 on the affected Windows or Windows Server operating systems.
  • If a patch cannot be installed immediately, limit local accounts’ permissions to interact with Windows Management Services and enforce least‑privilege principles for users who can invoke the service.
  • Monitor Event Logs for unusual privilege escalation or abnormal activity related to Windows Management Services and assess whether disabling or restricting the service is feasible for your environment.

Generated by OpenCVE AI on April 16, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
Title Windows Management Services Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-362
CWE-416
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2019 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:46.710Z

Reserved: 2025-12-04T20:04:16.334Z

Link: CVE-2026-20918

cve-icon Vulnrichment

Updated: 2026-01-13T19:34:22.768Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:17.973

Modified: 2026-01-15T21:22:36.293

Link: CVE-2026-20918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:30:29Z

Weaknesses