CVE-2026-20853
Published: 13 January 2026
Summary
CVE-2026-20853 is a high-severity Race Condition (CWE-362) vulnerability in Microsoft Windows 10 1607. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-4 (Information in Shared System Resources).
Deeper analysis
CVE-2026-20853 is a race condition vulnerability (CWE-362) affecting the Windows WalletService, published on 2026-01-13T18:16:13.990. The flaw arises from concurrent execution using a shared resource with improper synchronization, enabling an unauthorized attacker to elevate privileges locally. It carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker with no required privileges can exploit this race condition to achieve privilege escalation. The attack requires local access and high complexity due to the need for precise timing in concurrent operations, with no user interaction needed. Successful exploitation results in high impacts on confidentiality, integrity, and availability.
Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20853 provides details on mitigation and patching for this vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2165
Vulnerability details
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows WalletService allows an unauthorized attacker to elevate privileges locally.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in Windows service directly enables local privilege escalation via vulnerability exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection against unauthorized access to information in shared system resources, mitigating the improper synchronization that enables the race condition in WalletService.
Enforces approved access control policies on the WalletService, blocking the unauthorized privilege elevation that results from successful exploitation of the race condition.
Provides process isolation to limit interference between concurrent executions, reducing the attack surface for the shared-resource race condition in this local service.