CVE-2026-32091 — Race Condition in Microsoft Windows 10 Version 1607

CWE-362 — Race Condition CWE-416 — Use After Free4 documents4 sources

Severity

8.4HIGHNVD

EPSS

0.0%

top 87.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Windows 10 Version 1607 Microsoft Windows 10 Version 1809 Microsoft Windows 10 Version 21h2 +10 more

Timeline

PublishedApr 14

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages13 packages

▶CVEListV5microsoft/windows_server_201610.0.14393.0 — 10.0.14393.9060

▶CVEListV5microsoft/windows_server_201910.0.17763.0 — 10.0.17763.8644

▶CVEListV5microsoft/windows_server_202210.0.20348.0 — 10.0.20348.5020

▶CVEListV5microsoft/windows_server_202510.0.26100.0 — 10.0.26100.32690

▶CVEListV5microsoft/windows_10_version_160710.0.14393.0 — 10.0.14393.9060

🔴Vulnerability Details

VulDB

Microsoft Windows up to Server 2025 Brokering File System race condition↗2026-04-14

▶

CVEList

Microsoft Brokering File System Elevation of Privilege Vulnerability↗2026-04-14

▶

GHSA

GHSA-7cvg-qpvm-qwgv: Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized↗2026-04-14

▶