A time‑of‑check time‑of‑use (TOCTOU) race condition exists in the Program Compatibility Assistant Service. The flaw allows an attacker who already has local system access to manipulate the service’s race condition checks, thereby creating a scenario where the service can be coerced into granting elevated privileges. The impact is a local privilege escalation that compromises confidentiality, integrity, and availability of the compromised system.

Microsoft Windows 10 version 21H2 and 22H2, Microsoft Windows 11 versions 23H2, 24H2, 25H2, and 26H1, and Microsoft Windows Server 2022 and 2025, including Server Core installations. The affected builds are identified by the CPE strings for x86, x64, and arm64 architectures as listed in the CVE.

The CVSS score is 7.8, indicating a high‑severity local privilege‑escalation vulnerability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires local authorized access; an attacker would race the service’s checks to gain elevated rights. Because the flaw is local and does not rely on network exposure, external attackers have limited reach, but the consequence for a compromised privileged account is severe.