Cyber Resilience

CVE-2022-26904

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 April 2022

Published
15 April 2022
Modified
30 October 2025
KEV Added
25 April 2022
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2300 96.0th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26904 is a high-severity Race Condition (CWE-362) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-26904 is an elevation-of-privilege vulnerability in the Windows User Profile Service stemming from a race condition (CWE-362). The flaw affects multiple versions of Windows and carries a CVSS 3.1 score of 7.0, reflecting local attack vector, high attack complexity, low privileges required, and high impact on confidentiality, integrity, and availability.

A local attacker with a low-privileged account can exploit the race condition to obtain SYSTEM-level privileges on an affected system. Successful exploitation grants the attacker full control over the target machine, enabling arbitrary code execution, credential theft, and persistence.

Microsoft’s security update guide recommends installing the patches released on April 12, 2022, which address the underlying race condition in the User Profile Service. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming that federal agencies must apply mitigations according to the published timelines.

EPSS scores for the CVE rose from low values after disclosure to a peak of 0.2831 in December 2025 before receding to the current 0.2300, indicating renewed exploitation interest well after the initial release.

EU & UK References

Vulnerability details

Windows User Profile Service Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
25 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19265
microsoft
windows 10 1607
≤ 10.0.14393.5066
microsoft
windows 10 1809
≤ 10.0.17763.2803
microsoft
windows 10 1909
≤ 10.0.18363.2212
microsoft
windows 10 20h2
≤ 10.0.19042.1645
microsoft
windows 10 21h1
≤ 10.0.19043.1645
microsoft
windows 10 21h2
≤ 10.0.19044.1645
microsoft
windows 11 21h2
≤ 10.0.22000.613
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Microsoft security update that eliminates the race condition in the User Profile Service.

prevent

Enforces access-control decisions on profile-related objects so a low-privileged process cannot win the race and obtain elevated rights.

prevent

Limits the initial privileges of the attacker, reducing both the likelihood and impact of successful profile-service exploitation.

References