Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kerberos allows an unauthorized attacker to bypass a security feature over a network.
Published: 2026-03-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Security Feature Bypass Leading to Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

Concurrent execution using a shared resource with improper synchronization – a race condition – in Windows Kerberos allows an attacker to bypass a security feature over a network. This vulnerability can lead to unauthorized access because the attack disrupts normal Kerberos authentication checks, thereby compromising confidentiality, integrity, and availability of the authentication process. The weakness is classified as CWE-362 (Race Condition).

Affected Systems

The vulnerability affects Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2, as well as Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, including their Server Core installations.

Risk and Exploitability

The CVSS base score is 6.5, indicating medium severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating a moderate overall risk. Exploitation requires a remote attacker to cause concurrent Kerberos operations that trigger the race condition, typically from another system within the same domain. No additional exploits or conditions are currently documented.

Generated by OpenCVE AI on March 16, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft Security Update for CVE-2026-24297 (install all available updates for the affected Windows versions).
  • Verify the update installation by checking the patch level or the specific update KB referenced in the Microsoft Security Advisory.

Generated by OpenCVE AI on March 16, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2012 (server Core Installation)
Microsoft windows Server 2012 R2
Microsoft windows Server 2012 R2 (server Core Installation)
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2012 (server Core Installation)
Microsoft windows Server 2012 R2
Microsoft windows Server 2012 R2 (server Core Installation)
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kerberos allows an unauthorized attacker to bypass a security feature over a network.
Title Windows Kerberos Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Weaknesses CWE-362
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows Server 2012 Windows Server 2012 (server Core Installation) Windows Server 2012 R2 Windows Server 2012 R2 Windows Server 2012 R2 (server Core Installation) Windows Server 2016 Windows Server 2016 (server Core Installation) Windows Server 2019 Windows Server 2019 (server Core Installation)
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:32:36.379Z

Reserved: 2026-01-21T21:28:02.969Z

Link: CVE-2026-24297

cve-icon Vulnrichment

Updated: 2026-03-10T18:40:45.450Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:27.180

Modified: 2026-03-13T18:48:18.110

Link: CVE-2026-24297

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:47Z

Weaknesses