CVE-2026-32090 — Race Condition in Microsoft Windows 10 Version 1607

CWE-362 — Race Condition CWE-416 — Use After Free4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 88.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Windows 10 Version 1607 Microsoft Windows 10 Version 1809 Microsoft Windows 10 Version 21h2 +10 more

Timeline

PublishedApr 14

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages13 packages

▶CVEListV5microsoft/windows_server_201610.0.14393.0 — 10.0.14393.9060

▶CVEListV5microsoft/windows_server_201910.0.17763.0 — 10.0.17763.8644

▶CVEListV5microsoft/windows_server_202210.0.20348.0 — 10.0.20348.5020

▶CVEListV5microsoft/windows_server_202510.0.26100.0 — 10.0.26100.32690

▶CVEListV5microsoft/windows_10_version_160710.0.14393.0 — 10.0.14393.9060

🔴Vulnerability Details

CVEList

Windows Speech Brokered Api Elevation of Privilege Vulnerability↗2026-04-14

▶

VulDB

Microsoft Windows up to Server 2025 Speech Brokered API race condition↗2026-04-14

▶

GHSA

GHSA-56x4-mhc5-h2hv: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech Brokered Api allows an authorized attack↗2026-04-14

▶