CVE-2026-45487: Windows TOCTOU Privilege Escalation in Program Compatibility Assistant
A timing-based vulnerability exists in Windows' Program Compatibility Assistant Service that allows someone with local system access to exploit a gap between checking permissions and using a resource. By executing commands at precisely the right moment, an attacker can bypass normal privilege restrictions and gain elevated access to the system. This is a local-only attack requiring the attacker to already have a user account on the machine.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-367
- Affected products
- 16 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45487 is a Time-of-Check Time-of-Use (TOCTOU) race condition (CWE-367) in the Program Compatibility Assistant Service. The vulnerability permits an authenticated local attacker to escalate privileges by exploiting a race condition between authorization validation and resource access. The attack vector is local, requires low complexity to execute, and mandates only user-level privileges to initiate. Once successful, the attacker gains high-impact capabilities affecting confidentiality, integrity, and availability of the affected system.
Business impact
This vulnerability presents a significant insider-threat and privilege escalation risk. An employee or contractor with standard user access could elevate to administrative privileges without detection, potentially leading to unauthorized system modifications, data exfiltration, lateral movement within the network, or service disruption. Organizations relying on user-account segmentation as a security control will find that control partially circumvented on affected Windows versions. The HIGH CVSS score (7.8) reflects the combination of high impact potential and low barrier to exploitation for users already on the system.
Affected systems
Microsoft Windows 10 versions 21H2 and 22H2, all recent Windows 11 releases (23H2, 24H2, 25H2, 26H1), Windows Server 2022, and Windows Server 2025 are affected. This covers both consumer and server deployments across current and near-current OS versions, representing a broad installed base requiring coordinated patching efforts.
Exploitability
The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread active exploitation has been publicly documented as of the last update. However, the low complexity and straightforward prerequisites (local access, standard user privileges, no user interaction required) mean that exploitation capability is likely feasible once technical details circulate. Security teams should assume weaponization is plausible and prioritize patching accordingly.
Remediation
Apply security updates from Microsoft addressing CVE-2026-45487 on all affected Windows 10 and Windows 11 versions, as well as Windows Server 2022 and 2025. Verify patch availability through Microsoft's official security advisory and your organization's patch management system. For systems that cannot be immediately patched, consider restricting local logon privileges to trusted administrators only and disabling the Program Compatibility Assistant Service if operationally feasible.
Patch guidance
Consult Microsoft's official security bulletin for CVE-2026-45487 to identify the specific KB articles and update versions applicable to your deployed Windows editions. Patches should be tested in a staging environment before broad rollout, particularly for server infrastructure. Given the broad affected product range, establish a phased deployment schedule prioritizing servers and high-value workstations first. Monitor Microsoft's update schedule to confirm all affected versions receive timely patches.
Detection guidance
Look for suspicious process creation from the Program Compatibility Assistant Service (pcasvc.exe), particularly spawning child processes with elevated privileges or accessing sensitive system files. Monitor for unusual file modifications in protected directories that should require admin rights, especially when initiated by standard user processes. Endpoint Detection and Response (EDR) solutions should flag privilege escalation attempts originating from the compatibility assistant service. File integrity monitoring on critical system binaries may reveal tampering attempts exploiting this race condition.
Why prioritize this
Despite the absence from the KEV catalog, this vulnerability merits HIGH priority due to its CVSS 7.8 score, the breadth of affected versions spanning Windows 10, 11, and current server platforms, and the low exploitation complexity. Any local user can attempt the attack with standard privileges, making it attractive for insider threats and as a post-exploitation lateral movement technique. The timing-based nature means automated attacks are feasible once proof-of-concept details emerge.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector with low attack complexity, low privilege requirements, no user interaction needed, and high impact across all three security properties (confidentiality, integrity, availability). The score appropriately captures the privilege-escalation threat even though exploitation depends on prior local access. Organizations should treat this as a HIGH-priority issue for patching within their standard vulnerability management cycles, typically targeting resolution within 30 days.
Frequently asked questions
Do we need to patch immediately if we have strong access controls limiting who can log in locally?
While restricting local logon rights does reduce risk, you should still prioritize patching. Insider threats, compromised contractor accounts, or exploitation of other vulnerabilities leading to local access could still enable this attack. Patching eliminates the vulnerability entirely rather than relying on access controls as the sole defense.
Is this vulnerability exploitable remotely, or does the attacker truly need local access?
This is strictly a local privilege escalation. The attacker must already have a user account and logon session on the affected system. There is no network-based vector. However, it becomes critical when combined with other vulnerabilities that provide initial access.
What does 'Time-of-Check Time-of-Use' mean in practical terms?
The vulnerability occurs when the system checks whether a user has permission to do something, but an attacker modifies the target between that check and when the action is actually executed. In this case, the gap allows the attacker to swap or modify resources in a way that bypasses the original permission decision, resulting in privileged access.
If we have this vulnerability but are not yet patched, what can we do immediately?
Disable the Program Compatibility Assistant Service if it is not critical to your operations, restrict local logon to administrative accounts only, monitor for suspicious process activity from pcasvc.exe, and escalate patching as the highest priority. Document the exception and establish a firm patching deadline.
This analysis is provided for informational purposes based on available vulnerability data as of the publication date. CVSS scores, patch details, and KEV status reflect information current at the time of writing and may be updated by vendors or CISA. Organizations should verify all remediation steps against official Microsoft security advisories and test patches in their environments before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consulting official vendor guidance for authoritative technical details and support. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45647MEDIUMMicrosoft Defender for Endpoint Privilege Escalation Race Condition
- CVE-2025-64390HIGHPlayStation 4 BD-J Sandbox Escape Privilege Escalation (Firmware 13.00-13.02)
- CVE-2026-24065HIGHWaves Central macOS Privilege Escalation Race Condition
- CVE-2026-25260HIGHQualcomm Firmware Memory Corruption Vulnerability
- CVE-2026-46227HIGHLinux SCTP Race Condition Use-After-Free Privilege Escalation
- CVE-2025-59610MEDIUMQualcomm Memory Corruption via IOCTL API Version Mismatch – Patch Guidance
- CVE-2026-20454MEDIUMMediaTek geniezone Race Condition Privilege Escalation (CVSS 6.4)
- CVE-2026-45619MEDIUMWWBN AVideo DNS-Rebinding SSRF Vulnerability