CVE-2026-32091

High

Published: 14 April 2026

Published

14 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32091 is a high-severity Race Condition (CWE-362) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-4 Information in Shared System Resources good match

prevent

Directly prevents unauthorized and unintended information transfer via shared file system resources exploited by the race condition in Microsoft Brokering File System.

SI-2 Flaw Remediation good match

prevent

Remediates the specific race condition flaw through timely identification, reporting, and correction including vendor patches from MSRC.

AC-6 Least Privilege partial match

prevent

Limits the impact of local privilege escalation resulting from the race condition by restricting processes to the least privileges necessary.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local race condition/use-after-free in Microsoft Brokering File System directly enables local privilege escalation without authentication or user interaction, mapping to T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-32091 is a race condition vulnerability stemming from concurrent execution using a shared resource with improper synchronization, classified under CWE-362 and CWE-416. It affects the Microsoft Brokering File System and was published on 2026-04-14 with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthorized local attacker can exploit this vulnerability due to its low attack complexity, lack of privilege requirements, and absence of user interaction. Successful exploitation enables local privilege escalation, resulting in high impacts to confidentiality, integrity, and availability within the unchanged security scope.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32091 provides details on patches and mitigation guidance.

Details

CWE(s): CWE-362 CWE-416

Affected Products

microsoft

windows 10 1607

≤ 10.0.14393.9060 · ≤ 10.0.14393.9060

microsoft

windows 10 1809

≤ 10.0.17763.8644 · ≤ 10.0.17763.8644

microsoft

windows 10 21h2

≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184

microsoft

windows 10 22h2

≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184

microsoft

windows 11 23h2

≤ 10.0.22631.6936 · ≤ 10.0.22631.6936

microsoft

windows 11 24h2

≤ 10.0.26100.8246 · ≤ 10.0.26100.8246

microsoft

windows 11 25h2

≤ 10.0.26200.8246 · ≤ 10.0.26200.8246

microsoft

windows 11 26h1

≤ 10.0.28000.1836 · ≤ 10.0.28000.1836

microsoft

windows server 2016

≤ 10.0.14393.9060

microsoft

windows server 2019

≤ 10.0.17763.8644

+3 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-32089Same product: Microsoft Windows 10 1607

CVE-2026-27911Same product: Microsoft Windows 10 1607

CVE-2026-32090Same product: Microsoft Windows 10 1607

CVE-2026-26167Same product: Microsoft Windows 10 1607

CVE-2026-26168Same product: Microsoft Windows 10 1607

CVE-2026-20844Same product: Microsoft Windows 10 1607

CVE-2026-32163Same product: Microsoft Windows 10 1809

CVE-2026-27927Same product: Microsoft Windows 10 1809

CVE-2026-32165Same product: Microsoft Windows 10 1809

CVE-2026-32158Same product: Microsoft Windows 10 1809

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32091
Vendor Advisory · secure@microsoft.com