Use‑after‑free in the Windows Speech Brokered API allows an authorized attacker to obtain elevated local privileges. The defect, identified as a race condition followed by an invalid memory reference, enables the attacker to execute code with higher rights, potentially gaining system‑wide control. The vulnerability aligns with CWE‑362 and CWE‑416, indicating a race condition leading to a use‑after‑free error.

Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1, 22H3), and Windows Server releases 2016, 2019, 2022, 2025, plus the 23H2 edition, all Core installations. These include both desktop and server operating systems running on x86, x64, or ARM64 architectures.

The vulnerability scores a CVSS base of 7.8, reflecting high severity for a local attack. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation at present. Attackers must be able to invoke the Speech Brokered API from a user context that can exercise the vulnerable code, which typically requires prior local access or malicious software already running on the machine. A successful exploit would allow the attacker to run code with elevated privileges, compromising the confidentiality, integrity, and availability of the affected system.