HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45487Published Modified CNA microsoft

CVE-2026-45487: Windows Program Compatibility Assistant Service Elevation of Privilege Vulnerability

Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.19044.7417
Affected Products
10

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A time-of-check time-of-use (TOCTOU) race condition is a class of bug where an attacker manipulates a shared resource in the window between when software checks a condition and when it acts on that result. This vulnerability exists in the Windows Program Compatibility Assistant Service across multiple Windows 10, Windows 11, and Windows Server 2022 versions. The attacker must already have a local session on the machine and a low-privilege account, but no network access or victim interaction is needed. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability on the affected host, effectively granting SYSTEM-level privileges. Patched-image rebuilds at the listed fix versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection for CVE-2026-45487 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Microsoft's advisory feed) within minutes of publication and matched against all customer images, including custom-built Windows-based container images. Any image whose Windows base layer falls within an affected version range is flagged automatically in the pipeline.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and weights it against each environment's compliance policy to determine priority and routing. The resulting finding is delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the applicable fix version (for example, 10.0.19044.7417 for Windows 10 21H2, or 10.0.26100.8655 for Windows 11 24H2) becomes available on HarborGuard once the upstream patched base layer is published. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative credentials are needed to trigger the race condition.

  • Victim interactionNot required

    The exploit runs entirely under the attacker's control with no need for another user to take any action.

  • Attack complexityDetail

    Attack complexity is rated Low, but TOCTOU exploits do depend on winning a timing race; in practice the exploit can be attempted repeatedly until the race is won, making it reliably executable without special environmental setup.

Blast Radius

  • The attacker reads any file or credential on the host, including secrets, tokens, and registry data accessible only to SYSTEM.
  • The attacker writes or replaces arbitrary files and registry keys, enabling persistent backdoors or tampering with system binaries.
  • The attacker terminates or crashes any process on the host, including security agents and critical services.
  • Combined control of confidentiality, integrity, and availability means full host compromise from a low-privilege starting point.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against customer images within minutes of advisory ingestion, covering both Microsoft-sourced base images and any custom Windows-based layers. For environments running an affected Windows version (Windows 10 21H2/22H2, Windows 11 23H2/24H2/25H2/26H1, or Windows Server 2022), a patched-image rebuild at the corresponding fix version becomes available as soon as the upstream patched base layer is published. For customers who opt into auto-remediation, HarborGuard performs a rebuild, runs a regression test, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits, the finding is routed immediately to the owning team with CVSS 7.8 HIGH scoring applied.

See how HarborGuard automates this

Fix available

10.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References