CVE-2026-45597: Windows UI Automation Manager Local Privilege Escalation
A race condition vulnerability in Windows UI Automation Manager allows an authorized local user to escalate privileges on affected systems. The flaw arises from improper synchronization when multiple processes access shared resources simultaneously. An attacker with existing local access can exploit timing windows to gain system-level privileges. This is not a remote vulnerability and requires prior authentication or local access, which narrows but does not eliminate the risk in shared computing environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-362
- Affected products
- 10 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Concurrent execution using shared resource with improper synchronization ('race condition') in UI Automation Manager (uiamanager.dll) allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45597 is a race condition (CWE-362) in the uiamanager.dll component of Windows that enables local privilege escalation. The vulnerability stems from inadequate synchronization mechanisms protecting shared resources during concurrent execution. An authorized user with local access can manipulate the timing of resource access to bypass privilege boundaries. The CVSS 3.1 vector reflects local attack vector (AV:L), high complexity (AC:H), low privilege requirement (PR:L), no user interaction needed (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Business impact
Organizations operating affected Windows editions face elevated risk in multi-user or shared workstation scenarios. Compromise of administrative privileges can lead to unauthorized system modifications, malware persistence, lateral movement to other systems, and exposure of sensitive data. The impact scales with environment size: enterprises with thousands of workstations should prioritize remediation to prevent post-compromise activities. Server environments (Windows Server 2022 and 2025) present particular risk if interactive logon is permitted or if service accounts are exploitable via this vector.
Affected systems
The vulnerability affects Windows 11 versions 23H2, 24H2, 25H2, and 26H1, as well as Windows Server 2022 and Windows Server 2025. Any deployment of these specific builds should be inventoried for exposure. Virtualized environments, development systems, and shared workstations are higher-risk configurations due to increased likelihood of concurrent user sessions or automated process interactions.
Exploitability
Exploitation requires local access and existing user privileges—a significant constraint that prevents remote unauthenticated attacks. However, the high complexity factor (AC:H) suggests the race condition window is timing-dependent rather than trivial to trigger reliably. In practice, this means exploitation may require multiple attempts or specialized knowledge of UI Automation Manager internals. The prerequisite of local access limits spread but does not protect against insider threats, compromised service accounts, or environments where physical or remote desktop access is broadly granted.
Remediation
Apply security updates from Microsoft addressing this vulnerability in uiamanager.dll. Verify patch availability through the Microsoft Security Update Guide and apply to all affected Windows 11 and Windows Server editions in your environment. For systems where patching is temporarily delayed, restrict local user access where operationally feasible and monitor UI Automation Manager activity for suspicious concurrent operations.
Patch guidance
Check Microsoft's official security advisories and Windows Update catalog for patches targeting CVE-2026-45597 on your specific Windows 11 and Server 2022/2025 builds. Patches should be tested in non-production environments before broad deployment to confirm compatibility with business applications. Prioritize servers and multi-user workstations. Verify patch installation by confirming uiamanager.dll version updates and testing UI Automation features remain functional post-patch.
Detection guidance
Monitor process execution and API call patterns related to UI Automation Manager, particularly focusing on concurrent access to shared resources from different user contexts. Windows Event Viewer logs (Security and System channels) may reveal privilege escalation attempts. Endpoint Detection and Response (EDR) tools should flag suspicious elevation patterns preceded by local access. Look for unusual timing correlations between UI automation API calls and system-level operations.
Why prioritize this
This vulnerability rates HIGH severity due to local privilege escalation capability affecting multiple current Windows versions and server editions. While requiring prior local access limits immediate remote threat, the broad install base of Windows 11 and Server 2025, combined with the complete compromise potential (C:H/I:H/A:H), warrants prompt remediation. Prioritize over lower-severity issues but below critical remote code execution flaws. The race condition's complexity may slow exploit development, providing a reasonable window for patching before widespread weaponization.
Risk score, explained
The CVSS 3.1 score of 7.0 (HIGH) reflects a scenario where an attacker with low privileges and local access can achieve complete system compromise through a time-dependent race condition. The high complexity increases the practical barrier to exploitation, preventing automatic scoring to CRITICAL. The lack of network attack vector and authentication requirement substantially reduce threat surface compared to remote vulnerabilities, but local privilege escalation to system-level access in multi-user environments remains a significant organizational risk.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-45597 requires local access and existing user credentials. Remote attackers cannot exploit it directly. However, if a system is already compromised or if remote access mechanisms (RDP, SSH) are available to attackers, this vulnerability becomes a post-compromise escalation risk.
What versions of Windows Server are affected?
Windows Server 2022 and Windows Server 2025 are vulnerable. Windows Server 2019 and earlier versions have not been listed as affected. Verify your specific build number against Microsoft advisories before assuming protection.
What should we do if we can't patch immediately?
Limit local user access to affected systems where possible, disable UI Automation features if not required for business operations, and implement enhanced monitoring of process privilege escalation attempts. Consider temporary access controls or segmentation for high-risk systems while awaiting patches.
Does this require user interaction to exploit?
No. The UI:N (no user interaction) designation means an attacker does not need to trick a user into clicking a link or opening a file. However, the race condition's high complexity means successful exploitation may require precise timing or multiple attempts, making it less trivial than some other privilege escalation flaws.
This analysis is based on publicly available information current as of the vulnerability publication date. Patch version numbers and specific remediation steps should be verified against official Microsoft security advisories and your vendor's documentation before implementation. SEC.co makes no guarantee of exploit availability, timeline to public weaponization, or completeness of affected product lists. Organizations should conduct independent risk assessment aligned with their specific environment and threat landscape. This document does not constitute professional security advice; consult your security team or a qualified cybersecurity consultant for implementation guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10940HIGHChrome Windows Sandbox Escape via Codec Race Condition
- CVE-2026-42836HIGHWindows Function Discovery Service Race Condition Privilege Escalation
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42912HIGHWindows Telephony Service Race Condition Privilege Escalation
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42977HIGHWindows Push Notifications Race Condition Local Privilege Escalation
- CVE-2026-42978HIGHWindows Push Notifications Privilege Escalation (CVSS 7.8)