CVE-2026-26167

Summary

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

Affected Software

VendorProductVersion RangeStatus
MicrosoftWindows 10 Version 160710.0.14393.0 < 10.0.14393.9060affected
MicrosoftWindows 10 Version 180910.0.17763.0 < 10.0.17763.8644affected
MicrosoftWindows 10 Version 21H210.0.19044.0 < 10.0.19044.7184affected
MicrosoftWindows 10 Version 22H210.0.19045.0 < 10.0.19045.7184affected
MicrosoftWindows 11 version 22H310.0.22631.0 < 10.0.22631.6936affected
MicrosoftWindows 11 Version 23H210.0.22631.0 < 10.0.22631.6936affected
MicrosoftWindows 11 Version 24H210.0.26100.0 < 10.0.26100.8246affected
MicrosoftWindows 11 Version 25H210.0.26200.0 < 10.0.26200.8246affected
MicrosoftWindows 11 version 26H110.0.28000.0 < 10.0.28000.1836affected
MicrosoftWindows Server 201610.0.14393.0 < 10.0.14393.9060affected
MicrosoftWindows Server 2016 (Server Core installation)10.0.14393.0 < 10.0.14393.9060affected
MicrosoftWindows Server 201910.0.17763.0 < 10.0.17763.8644affected
MicrosoftWindows Server 2019 (Server Core installation)10.0.17763.0 < 10.0.17763.8644affected
MicrosoftWindows Server 202210.0.20348.0 < 10.0.20348.5020affected
MicrosoftWindows Server 2022, 23H2 Edition (Server Core installation)10.0.25398.0 < 10.0.25398.2274affected
MicrosoftWindows Server 202510.0.26100.0 < 10.0.26100.32690affected
MicrosoftWindows Server 2025 (Server Core installation)10.0.26100.0 < 10.0.26100.32690affected

Weaknesses

  • CWE-362: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-416: CWE-416: Use After Free

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References