CVE-2026-54112 is a newly patched Windows Win32k elevation-of-privilege vulnerability that can let an attacker with limited local access gain broader control of an affected PC or server. Microsoft released the fix on July 14, 2026, as part of its monthly security updates, covering supported editions of Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025.
Detailed in Microsoft’s Security Update Guide, the flaw carries a CVSS 3.1 base score of 7.8 and an Important severity rating. Microsoft describes the underlying problem as improper synchronization of a shared resource—a race condition inside Win32k that an authorized local attacker can exploit to elevate privileges.
The vulnerability is not a remote entry point by itself. It becomes dangerous after an attacker has acquired low-privilege access through another vulnerability, stolen credentials, malicious software, or an exposed interactive session.
Win32k is a core part of the Windows graphical subsystem, supporting window management, input processing, graphics operations, and the user-to-kernel interactions behind the desktop. Its position near the operating system’s privilege boundary has made Win32k vulnerabilities recurring targets for exploit developers.
CVE-2026-54112 involves concurrent operations accessing a shared resource without adequate synchronization. In practical terms, an attacker attempts to make two or more operations occur in a carefully controlled sequence, pushing Windows into a state its developers did not expect.
Microsoft’s scoring indicates that exploitation requires local access, low privileges, and no interaction from another user. Attack complexity is rated high, however, meaning successful exploitation depends on conditions outside the attacker’s direct control or requires precise timing. That makes the bug less straightforward than a reliably triggered permission error, but it does not remove the risk.
A successful attack can produce high impacts to confidentiality, integrity, and availability. The changed-scope component in Microsoft’s CVSS vector also reflects the significance of crossing from the vulnerable Win32k context into a more privileged security authority.
This is the familiar role of a privilege-escalation exploit in an attack chain: it does not necessarily open the front door, but it can help an intruder who is already inside take over the building. Malware running under an ordinary user account could use such a flaw to disable defenses, access protected data, create privileged accounts, establish persistence, or interfere with system services.
On the server side, Microsoft lists Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations of Windows Server 2019 and Windows Server 2025 are also included, demonstrating that the exposure is not limited to systems running the full Desktop Experience.
The corrected build thresholds published with the CVE include:
Windows 10 deserves particular scrutiny because the affected list includes editions and versions that may only remain eligible for fixes under specific servicing or ESU arrangements. A machine being technically vulnerable does not guarantee that it is entitled to receive the corresponding security update through ordinary Windows Update channels.
It also makes the vulnerability useful in a more targeted setting. Attackers routinely combine an initial-access technique with a local privilege-escalation bug, particularly where endpoint controls restrict what an unprivileged process can do. A reliable Win32k exploit can turn a constrained foothold into a system-level compromise.
Race conditions can be difficult to weaponize consistently because scheduling, processor load, hardware differences, and operating-system behavior influence the timing window. Exploit developers can nevertheless improve reliability through repeated attempts, manipulation of thread scheduling, and carefully prepared system state.
Microsoft has confirmed the vulnerability through its advisory and supplied an official fix. Public confirmation is important because it establishes that the issue is not merely a suspected weakness inferred from incomplete research. It also gives defenders concrete affected-version and remediation data, while providing would-be attackers with enough classification information to begin examining update differences.
Microsoft’s public description does not expose the complete vulnerable code path or provide exploit instructions. Even so, monthly update packages can be compared against previous builds, a process known as patch diffing, to identify changed functions and reconstruct the weakness. That creates a practical reason to shorten the interval between Microsoft’s July 14 release and broad enterprise deployment.
Deployment priority should reflect how a local elevation flaw is actually used. Internet-facing servers remain important, but endpoint fleets with frequent user activity, downloaded files, browser sessions, remote-management tools, and third-party applications offer more opportunities for attackers to obtain the initial low-privilege execution that CVE-2026-54112 requires.
Multi-user systems also deserve attention. Remote Desktop Session Host servers, virtual desktop infrastructure, shared administrative workstations, jump boxes, and development systems routinely execute code belonging to different users or trust levels. On those machines, a local privilege boundary is a meaningful security control rather than a theoretical distinction.
Administrators should verify installation using the resulting OS build number and their normal endpoint-management inventory. A deployment marked successful by Windows Server Update Services, Microsoft Configuration Manager, Windows Autopatch, or Microsoft Intune should still be reconciled against devices that were offline, paused, excluded, or unable to complete a restart.
Security teams should also monitor for unusual child processes, privilege changes, service creation, security-tool tampering, and other post-exploitation behavior. Those signals are not specific to CVE-2026-54112, but they can reveal attempts to capitalize on a compromised local account.
CVE-2026-54112 is ultimately a post-compromise force multiplier rather than a stand-alone remote takeover. Systems below builds 17763.9020, 19044.7548, 19045.7548, 26100.8875, 26200.8875, 28000.2525, 20348.5386, or 26100.33158—as applicable—should remain on remediation dashboards until the July 14 update is installed and the required restart is complete.
Detailed in Microsoft’s Security Update Guide, the flaw carries a CVSS 3.1 base score of 7.8 and an Important severity rating. Microsoft describes the underlying problem as improper synchronization of a shared resource—a race condition inside Win32k that an authorized local attacker can exploit to elevate privileges.
The vulnerability is not a remote entry point by itself. It becomes dangerous after an attacker has acquired low-privilege access through another vulnerability, stolen credentials, malicious software, or an exposed interactive session.
A Race Condition at a Sensitive Boundary
Win32k is a core part of the Windows graphical subsystem, supporting window management, input processing, graphics operations, and the user-to-kernel interactions behind the desktop. Its position near the operating system’s privilege boundary has made Win32k vulnerabilities recurring targets for exploit developers.CVE-2026-54112 involves concurrent operations accessing a shared resource without adequate synchronization. In practical terms, an attacker attempts to make two or more operations occur in a carefully controlled sequence, pushing Windows into a state its developers did not expect.
Microsoft’s scoring indicates that exploitation requires local access, low privileges, and no interaction from another user. Attack complexity is rated high, however, meaning successful exploitation depends on conditions outside the attacker’s direct control or requires precise timing. That makes the bug less straightforward than a reliably triggered permission error, but it does not remove the risk.
A successful attack can produce high impacts to confidentiality, integrity, and availability. The changed-scope component in Microsoft’s CVSS vector also reflects the significance of crossing from the vulnerable Win32k context into a more privileged security authority.
This is the familiar role of a privilege-escalation exploit in an attack chain: it does not necessarily open the front door, but it can help an intruder who is already inside take over the building. Malware running under an ordinary user account could use such a flaw to disable defenses, access protected data, create privileged accounts, establish persistence, or interfere with system services.
The Fix Reaches Windows 10 Through Windows 11 26H1
Microsoft’s affected-product data spans several generations of client and server Windows. The vulnerable releases include Windows 10 Version 1809, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 24H2, Windows 11 Version 25H2, and Windows 11 version 26H1.On the server side, Microsoft lists Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations of Windows Server 2019 and Windows Server 2025 are also included, demonstrating that the exposure is not limited to systems running the full Desktop Experience.
The corrected build thresholds published with the CVE include:
- Windows 10 Version 1809 and Windows Server 2019 are addressed at build 17763.9020.
- Windows 10 Version 21H2 reaches build 19044.7548.
- Windows 10 Version 22H2 reaches build 19045.7548.
- Windows 11 Version 24H2 reaches build 26100.8875.
- Windows 11 Version 25H2 reaches build 26200.8875.
- Windows 11 version 26H1 reaches build 28000.2525.
- Windows Server 2022 reaches build 20348.5386.
- Windows Server 2025 reaches build 26100.33158.
Windows 10 deserves particular scrutiny because the affected list includes editions and versions that may only remain eligible for fixes under specific servicing or ESU arrangements. A machine being technically vulnerable does not guarantee that it is entitled to receive the corresponding security update through ordinary Windows Update channels.
High Complexity Is Not a Reason to Wait
The CVSS vector for CVE-2026-54112 identifies a local attack with high complexity, low privileges, and no user interaction. That profile generally reduces the likelihood of indiscriminate exploitation compared with a network-accessible flaw requiring no authentication.It also makes the vulnerability useful in a more targeted setting. Attackers routinely combine an initial-access technique with a local privilege-escalation bug, particularly where endpoint controls restrict what an unprivileged process can do. A reliable Win32k exploit can turn a constrained foothold into a system-level compromise.
Race conditions can be difficult to weaponize consistently because scheduling, processor load, hardware differences, and operating-system behavior influence the timing window. Exploit developers can nevertheless improve reliability through repeated attempts, manipulation of thread scheduling, and carefully prepared system state.
Microsoft has confirmed the vulnerability through its advisory and supplied an official fix. Public confirmation is important because it establishes that the issue is not merely a suspected weakness inferred from incomplete research. It also gives defenders concrete affected-version and remediation data, while providing would-be attackers with enough classification information to begin examining update differences.
Microsoft’s public description does not expose the complete vulnerable code path or provide exploit instructions. Even so, monthly update packages can be compared against previous builds, a process known as patch diffing, to identify changed functions and reconstruct the weakness. That creates a practical reason to shorten the interval between Microsoft’s July 14 release and broad enterprise deployment.
Patch the Workstations That Attackers Can Reach First
For IT departments, installing the July 2026 cumulative security update is the primary remediation. Microsoft has not presented a configuration workaround that should be treated as an equivalent substitute for updating the affected Win32k code.Deployment priority should reflect how a local elevation flaw is actually used. Internet-facing servers remain important, but endpoint fleets with frequent user activity, downloaded files, browser sessions, remote-management tools, and third-party applications offer more opportunities for attackers to obtain the initial low-privilege execution that CVE-2026-54112 requires.
Multi-user systems also deserve attention. Remote Desktop Session Host servers, virtual desktop infrastructure, shared administrative workstations, jump boxes, and development systems routinely execute code belonging to different users or trust levels. On those machines, a local privilege boundary is a meaningful security control rather than a theoretical distinction.
Administrators should verify installation using the resulting OS build number and their normal endpoint-management inventory. A deployment marked successful by Windows Server Update Services, Microsoft Configuration Manager, Windows Autopatch, or Microsoft Intune should still be reconciled against devices that were offline, paused, excluded, or unable to complete a restart.
Security teams should also monitor for unusual child processes, privilege changes, service creation, security-tool tampering, and other post-exploitation behavior. Those signals are not specific to CVE-2026-54112, but they can reveal attempts to capitalize on a compromised local account.
CVE-2026-54112 is ultimately a post-compromise force multiplier rather than a stand-alone remote takeover. Systems below builds 17763.9020, 19044.7548, 19045.7548, 26100.8875, 26200.8875, 28000.2525, 20348.5386, or 26100.33158—as applicable—should remain on remediation dashboards until the July 14 update is installed and the required restart is complete.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com