HIGH 7.8

CVE-2026-45487: Windows TOCTOU Privilege Escalation in Program Compatibility Assistant

A timing-based vulnerability exists in Windows' Program Compatibility Assistant Service that allows someone with local system access to exploit a gap between checking permissions and using a resource. By executing commands at precisely the right moment, an attacker can bypass normal privilege restrictions and gain elevated access to the system. This is a local-only attack requiring the attacker to already have a user account on the machine.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-367
Affected products
16 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45487 is a Time-of-Check Time-of-Use (TOCTOU) race condition (CWE-367) in the Program Compatibility Assistant Service. The vulnerability permits an authenticated local attacker to escalate privileges by exploiting a race condition between authorization validation and resource access. The attack vector is local, requires low complexity to execute, and mandates only user-level privileges to initiate. Once successful, the attacker gains high-impact capabilities affecting confidentiality, integrity, and availability of the affected system.

Business impact

This vulnerability presents a significant insider-threat and privilege escalation risk. An employee or contractor with standard user access could elevate to administrative privileges without detection, potentially leading to unauthorized system modifications, data exfiltration, lateral movement within the network, or service disruption. Organizations relying on user-account segmentation as a security control will find that control partially circumvented on affected Windows versions. The HIGH CVSS score (7.8) reflects the combination of high impact potential and low barrier to exploitation for users already on the system.

Affected systems

Microsoft Windows 10 versions 21H2 and 22H2, all recent Windows 11 releases (23H2, 24H2, 25H2, 26H1), Windows Server 2022, and Windows Server 2025 are affected. This covers both consumer and server deployments across current and near-current OS versions, representing a broad installed base requiring coordinated patching efforts.

Exploitability

The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread active exploitation has been publicly documented as of the last update. However, the low complexity and straightforward prerequisites (local access, standard user privileges, no user interaction required) mean that exploitation capability is likely feasible once technical details circulate. Security teams should assume weaponization is plausible and prioritize patching accordingly.

Remediation

Apply security updates from Microsoft addressing CVE-2026-45487 on all affected Windows 10 and Windows 11 versions, as well as Windows Server 2022 and 2025. Verify patch availability through Microsoft's official security advisory and your organization's patch management system. For systems that cannot be immediately patched, consider restricting local logon privileges to trusted administrators only and disabling the Program Compatibility Assistant Service if operationally feasible.

Patch guidance

Consult Microsoft's official security bulletin for CVE-2026-45487 to identify the specific KB articles and update versions applicable to your deployed Windows editions. Patches should be tested in a staging environment before broad rollout, particularly for server infrastructure. Given the broad affected product range, establish a phased deployment schedule prioritizing servers and high-value workstations first. Monitor Microsoft's update schedule to confirm all affected versions receive timely patches.

Detection guidance

Look for suspicious process creation from the Program Compatibility Assistant Service (pcasvc.exe), particularly spawning child processes with elevated privileges or accessing sensitive system files. Monitor for unusual file modifications in protected directories that should require admin rights, especially when initiated by standard user processes. Endpoint Detection and Response (EDR) solutions should flag privilege escalation attempts originating from the compatibility assistant service. File integrity monitoring on critical system binaries may reveal tampering attempts exploiting this race condition.

Why prioritize this

Despite the absence from the KEV catalog, this vulnerability merits HIGH priority due to its CVSS 7.8 score, the breadth of affected versions spanning Windows 10, 11, and current server platforms, and the low exploitation complexity. Any local user can attempt the attack with standard privileges, making it attractive for insider threats and as a post-exploitation lateral movement technique. The timing-based nature means automated attacks are feasible once proof-of-concept details emerge.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector with low attack complexity, low privilege requirements, no user interaction needed, and high impact across all three security properties (confidentiality, integrity, availability). The score appropriately captures the privilege-escalation threat even though exploitation depends on prior local access. Organizations should treat this as a HIGH-priority issue for patching within their standard vulnerability management cycles, typically targeting resolution within 30 days.

Frequently asked questions

Do we need to patch immediately if we have strong access controls limiting who can log in locally?

While restricting local logon rights does reduce risk, you should still prioritize patching. Insider threats, compromised contractor accounts, or exploitation of other vulnerabilities leading to local access could still enable this attack. Patching eliminates the vulnerability entirely rather than relying on access controls as the sole defense.

Is this vulnerability exploitable remotely, or does the attacker truly need local access?

This is strictly a local privilege escalation. The attacker must already have a user account and logon session on the affected system. There is no network-based vector. However, it becomes critical when combined with other vulnerabilities that provide initial access.

What does 'Time-of-Check Time-of-Use' mean in practical terms?

The vulnerability occurs when the system checks whether a user has permission to do something, but an attacker modifies the target between that check and when the action is actually executed. In this case, the gap allows the attacker to swap or modify resources in a way that bypasses the original permission decision, resulting in privileged access.

If we have this vulnerability but are not yet patched, what can we do immediately?

Disable the Program Compatibility Assistant Service if it is not critical to your operations, restrict local logon to administrative accounts only, monitor for suspicious process activity from pcasvc.exe, and escalate patching as the highest priority. Document the exception and establish a firm patching deadline.

This analysis is provided for informational purposes based on available vulnerability data as of the publication date. CVSS scores, patch details, and KEV status reflect information current at the time of writing and may be updated by vendors or CISA. Organizations should verify all remediation steps against official Microsoft security advisories and test patches in their environments before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consulting official vendor guidance for authoritative technical details and support. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).