CVE-2026-26167
Published: 14 April 2026
Summary
CVE-2026-26167 is a high-severity Race Condition (CWE-362) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific race condition vulnerability through application of Microsoft patches for Windows Push Notifications.
Prevents unauthorized information transfer via shared system resources, directly addressing the race condition from improper synchronization during concurrent execution.
Implements memory protection mechanisms that mitigate the associated use-after-free issue triggered by the race condition.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local race condition/use-after-free in Windows component directly enables exploitation for privilege escalation from low-privileged context to SYSTEM-level access.
NVD Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
Deeper analysisAI
CVE-2026-26167 is a race condition vulnerability (CWE-362) with an associated use-after-free issue (CWE-416) in the Windows Push Notifications component of Microsoft Windows. Published on 2026-04-14T18:16:50.297, it carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), stemming from improper synchronization during concurrent execution using a shared resource, which enables local privilege escalation.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction. Exploitation involves triggering the race condition in Windows Push Notifications, allowing privilege escalation that grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H) in a scope-changing context (S:C), potentially resulting in full system compromise.
Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26167 provides details on available patches and mitigation recommendations for addressing this vulnerability.
Details
- CWE(s)