CVE-2026-32088 - Vulnerability Details

- Windows Biometric Service Security Feature Bypass Vulnerability

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack.

Published: 2026-04-14

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the Windows Biometric Service that allows an attacker to perform concurrent operations on a shared resource. By exploiting this improper synchronization, an attacker with physical access to the device can bypass the configured security checks and cause the system to accept biometric data without proper authentication. This flaw enables an unauthorized user to gain access to the affected machine, potentially elevating privileges or accessing protected information.

Affected Systems

The vulnerability is present in Microsoft Windows operating systems and affects the following releases: Windows 10 version 1809, 21H2, 22H2; Windows 11 version 23H2, 24H2, 25H2, 26H1, 22H3; and Windows Server releases 2019, 2022, 2025, and the 23H2 edition, both full and Server Core installations.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, yet exploitation requires direct, physical presence on the target device. An attacker can trigger the race condition by submitting multiple biometric requests simultaneously, thereby bypassing authentication checks. The overall risk is moderate, but the possibility of gaining unauthorized access justifies prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Windows 10 Version 1809

affected

Version	Status	Constraints
`10.0.17763.0`	affected	< 10.0.17763.8644

Microsoft

Windows 10 Version 21H2

affected

Version	Status	Constraints
`10.0.19044.0`	affected	< 10.0.19044.7184

Microsoft

Windows 10 Version 22H2

affected

Version	Status	Constraints
`10.0.19045.0`	affected	< 10.0.19045.7184

Microsoft

Windows 11 version 22H3

affected

Version	Status	Constraints
`10.0.22631.0`	affected	< 10.0.22631.6936

Microsoft

Windows 11 Version 23H2

affected

Version	Status	Constraints
`10.0.22631.0`	affected	< 10.0.22631.6936

Microsoft

Windows 11 Version 24H2

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.8246

Microsoft

Windows 11 Version 25H2

affected

Version	Status	Constraints
`10.0.26200.0`	affected	< 10.0.26200.8246

Microsoft

Windows 11 version 26H1

affected

Version	Status	Constraints
`10.0.28000.0`	affected	< 10.0.28000.1836

Microsoft

Windows Server 2019

affected

Version	Status	Constraints
`10.0.17763.0`	affected	< 10.0.17763.8644

Microsoft

Windows Server 2019 (Server Core installation)

affected

Version	Status	Constraints
`10.0.17763.0`	affected	< 10.0.17763.8644

Microsoft

Windows Server 2022

affected

Version	Status	Constraints
`10.0.20348.0`	affected	< 10.0.20348.5020

Microsoft

Windows Server 2022, 23H2 Edition (Server Core installation)

affected

Version	Status	Constraints
`10.0.25398.0`	affected	< 10.0.25398.2274

Microsoft

Windows Server 2025

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.32690

Microsoft

Windows Server 2025 (Server Core installation)

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.32690

No data.

Vendor Product Confidence Versions

Microsoft

Windows 10 1809

86%

Version	Status	Scheme	Platform
`[10.0.17763.0,10.0.17763.8644)`	affected	generic	['32-bit_systems', 'x64-based_systems']

Microsoft

Windows 10 21h2

86%

Version	Status	Scheme	Platform
`[10.0.19044.0,10.0.19044.7184)`	affected	generic	['32-bit_systems', 'arm64-based_systems', 'x64-based_systems']

Microsoft

Windows 10 22h2

86%

Version	Status	Scheme	Platform
`[10.0.19045.0,10.0.19045.7184)`	affected	generic	['32-bit_systems', 'arm64-based_systems', 'x64-based_systems']

Microsoft

Windows 11 22h3

86%

Version	Status	Scheme	Platform
`[10.0.22631.0,10.0.22631.6936)`	affected	generic	['arm64-based_systems']

Microsoft

Windows 11 23h2

86%

Version	Status	Scheme	Platform
`[10.0.22631.0,10.0.22631.6936)`	affected	generic	['x64-based_systems']

Microsoft

Windows 11 24h2

86%

Version	Status	Scheme	Platform
`[10.0.26100.0,10.0.26100.32690)`	affected	generic	['arm64-based_systems', 'x64-based_systems']

Microsoft

Windows 11 25h2

86%

Version	Status	Scheme	Platform
`[10.0.26200.0,10.0.26200.8246)`	affected	generic	['arm64-based_systems', 'x64-based_systems']

Microsoft

Windows 11 26h1

86%

Version	Status	Scheme	Platform
`[10.0.28000.0,10.0.28000.1836)`	affected	generic	['arm64-based_systems', 'x64-based_systems']

Microsoft

Windows Server 2019

100%

Version	Status	Scheme	Platform
`[10.0.17763.0,10.0.17763.8644)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2019 (server Core Installation)

100%

Version	Status	Scheme	Platform
`[10.0.17763.0,10.0.17763.8644)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2022

100%

Version	Status	Scheme	Platform
`[10.0.20348.0,10.0.20348.5020)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2022, 23h2 Edition (server Core Installation)

100%

Version	Status	Scheme	Platform
`[10.0.25398.0,10.0.25398.2274)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2025

100%

Version	Status	Scheme	Platform
`[10.0.26100.0,10.0.26100.32690)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2025 (server Core Installation)

100%

Version	Status	Scheme	Platform
`[10.0.26100.0,10.0.26100.32690)`	affected	generic	['x64-based_systems']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Microsoft security update for CVE-2026-32088 via the Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32088.
Confirm that all affected Windows 10, Windows 11, and Windows Server deployments are running the latest cumulative updates.
Restrict physical access to devices with biometric hardware and enforce device security policies to prevent unauthorized concurrent use.
Monitor authentication and event logs for suspicious biometric activity, such as repeated or concurrent attempts, and investigate promptly.
Keep abreast of any additional advisories or patches from Microsoft regarding this vulnerability.

Generated by OpenCVE AI on April 14, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32088

History

Wed, 15 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft windows 10 21h2 Microsoft windows 10 22h2 Microsoft windows 11 22h3 Microsoft windows 11 23h2 Microsoft windows 11 24h2 Microsoft windows 11 25h2 Microsoft windows 11 26h1 Microsoft windows Server 2019 (server Core Installation) Microsoft windows Server 2022, 23h2 Edition (server Core Installation) Microsoft windows Server 2025 (server Core Installation)
Vendors & Products		Microsoft windows 10 21h2 Microsoft windows 10 22h2 Microsoft windows 11 22h3 Microsoft windows 11 23h2 Microsoft windows 11 24h2 Microsoft windows 11 25h2 Microsoft windows 11 26h1 Microsoft windows Server 2019 (server Core Installation) Microsoft windows Server 2022, 23h2 Edition (server Core Installation) Microsoft windows Server 2025 (server Core Installation)

Tue, 14 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack.
Title		Windows Biometric Service Security Feature Bypass Vulnerability
First Time appeared		Microsoft Microsoft windows 10 1809 Microsoft windows 10 21h2 Microsoft windows 10 22h2 Microsoft windows 11 23h2 Microsoft windows 11 24h2 Microsoft windows 11 25h2 Microsoft windows 11 26h1 Microsoft windows Server 2019 Microsoft windows Server 2022 Microsoft windows Server 2025 Microsoft windows Server 23h2
Weaknesses		CWE-362
CPEs		cpe:2.3:o:microsoft:windows_10_1809:::::::x86:* cpe:2.3:o:microsoft:windows_10_21H2:::::::x86:* cpe:2.3:o:microsoft:windows_10_22H2:::::::x64:* cpe:2.3:o:microsoft:windows_11_23H2:::::::arm64:* cpe:2.3:o:microsoft:windows_11_23H2:::::::x64:* cpe:2.3:o:microsoft:windows_11_24H2:::::::arm64:* cpe:2.3:o:microsoft:windows_11_25H2:::::::arm64:* cpe:2.3:o:microsoft:windows_11_26H1:::::::arm64:* cpe:2.3:o:microsoft:windows_server_2019:::::::: cpe:2.3:o:microsoft:windows_server_2022:::::::: cpe:2.3:o:microsoft:windows_server_2025:::::::: cpe:2.3:o:microsoft:windows_server_23h2::::::::
Vendors & Products		Microsoft Microsoft windows 10 1809 Microsoft windows 10 21h2 Microsoft windows 10 22h2 Microsoft windows 11 23h2 Microsoft windows 11 24h2 Microsoft windows 11 25h2 Microsoft windows 11 26h1 Microsoft windows Server 2019 Microsoft windows Server 2022 Microsoft windows Server 2025 Microsoft windows Server 23h2
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32088
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 22h3 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows 11 26h1 Windows 11 26h1 Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2025 Windows Server 2025 (server Core Installation) Windows Server 23h2

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-04-14T16:58:24.129Z

Updated: 2026-04-17T16:13:14.172Z

Reserved: 2026-03-10T22:02:18.667Z

Link: CVE-2026-32088

Vulnrichment

Updated: 2026-04-14T18:52:23.935Z

NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:17:13.200

Modified: 2026-04-17T15:10:35.607

Link: CVE-2026-32088

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T15:15:06Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object