CVE-2026-20816
Published: 13 January 2026
Summary
CVE-2026-20816 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-20816 is a time-of-check time-of-use (TOCTOU) race condition vulnerability in Windows Installer, affecting Windows operating systems. Classified under CWE-367, it enables local privilege escalation for authorized attackers. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability with low complexity and privileges required.
An attacker with local access and low-level privileges (PR:L) can exploit this race condition in Windows Installer to elevate their privileges. By racing the time-of-check against time-of-use mechanism, the attacker can manipulate the installation process, potentially gaining higher privileges on the system and achieving high-impact outcomes across confidentiality, integrity, and availability.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20816 provides details on mitigation, including available patches and recommended actions for affected Windows systems. Security practitioners should consult this reference for specific update guidance to address the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2200
Vulnerability details
Time-of-check time-of-use (toctou) race condition in Windows Installer allows an authorized attacker to elevate privileges locally.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via exploitation of a TOCTOU race condition vulnerability in Windows Installer.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the TOCTOU race condition in Windows Installer by requiring timely application of vendor patches as specified in the MSRC advisory.
Prohibits or strictly controls user-installed software via Windows Installer, preventing local low-privilege attackers from triggering the vulnerable installation process.
Enforces least privilege for local accounts, limiting the attack surface and impact of potential privilege escalation from the race condition exploitation.