CVE-2022-26904
Published: 15 April 2022
Summary
CVE-2022-26904 is a high-severity Race Condition (CWE-362) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-26904 is an elevation-of-privilege vulnerability in the Windows User Profile Service stemming from a race condition (CWE-362). The flaw affects multiple versions of Windows and carries a CVSS 3.1 score of 7.0, reflecting local attack vector, high attack complexity, low privileges required, and high impact on confidentiality, integrity, and availability.
A local attacker with a low-privileged account can exploit the race condition to obtain SYSTEM-level privileges on an affected system. Successful exploitation grants the attacker full control over the target machine, enabling arbitrary code execution, credential theft, and persistence.
Microsoft’s security update guide recommends installing the patches released on April 12, 2022, which address the underlying race condition in the User Profile Service. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming that federal agencies must apply mitigations according to the published timelines.
EPSS scores for the CVE rose from low values after disclosure to a peak of 0.2831 in December 2025 before receding to the current 0.2300, indicating renewed exploitation interest well after the initial release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31451
Vulnerability details
Windows User Profile Service Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 25 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Microsoft security update that eliminates the race condition in the User Profile Service.
Enforces access-control decisions on profile-related objects so a low-privileged process cannot win the race and obtain elevated rights.
Limits the initial privileges of the attacker, reducing both the likelihood and impact of successful profile-service exploitation.