HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45597Published Modified CNA microsoft

CVE-2026-45597: Windows UI Automation Manager (uiamanager.dll) Elevation of Privilege Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in UI Automation Manager (uiamanager.dll) allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
10.0.20348.5256
Affected Products
8

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A race condition in the Windows UI Automation Manager component (uiamanager.dll) allows a local attacker with a low-privilege account to elevate their privileges on affected Windows 11 and Windows Server 2022/2025 systems. The flaw is reached locally, requires no network exposure, and is triggered by manipulating shared resources during concurrent execution, which demands precise timing but no additional credentials. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the affected system. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection for CVE-2026-45597 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that layer on affected Windows base versions. Any image whose Windows build falls within the affected version ranges for Windows 11 (23H2, 24H2, 25H2, 26H1) or Windows Server 2022/2025 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.0 (HIGH) and weighting it further against each customer environment's compliance policy, for example flagging it at elevated priority in regulated or production workloads. Routing to the appropriate team inbox within each customer org is available based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at the applicable fix version (10.0.20348.5256 for Windows Server 2022, 10.0.22631.7219 for Windows 11 23H2, 10.0.26100.8655 or 10.0.26100.32995 for Windows 11/Server 2025 24H2, and 10.0.26200.8655 for Windows 11 25H2) becomes available on HarborGuard once the upstream patched base layer is published. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no admin credentials are needed to attempt exploitation.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is required; the attacker operates independently.

  • Attack complexityDetail

    Exploitation requires winning a race condition over shared resources during concurrent execution, meaning timing and environmental factors must align for a reliable attack.

Blast Radius

  • A successful attacker reads files, credentials, and sensitive data accessible only to higher-privilege accounts on the host.
  • The attacker can modify or overwrite protected system files, registry entries, or application data that low-privilege users cannot normally touch.
  • The attacker can crash or destabilize system services, causing denial of service on the affected host.
  • Because all three impact dimensions (confidentiality, integrity, availability) are rated HIGH, the attacker effectively gains full control over the compromised system context.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all customer images within minutes of publication, covering any image built on an affected Windows base layer across the version ranges listed for Windows 11 23H2 through 26H1 and Windows Server 2022/2025. Where compliance policy permits, HarborGuard can rebuild affected images at the appropriate fix version and open a pull request against impacted workloads automatically; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Customers who have not enabled auto-remediation can use the HarborGuard triage dashboard to identify all affected image tags and initiate a manual rebuild at the patched version. Given that this is a local privilege escalation requiring only a low-privilege account, organizations running multi-tenant or shared Windows container hosts should treat remediation as time-sensitive even in the absence of network exposure.

See how HarborGuard automates this

Fix available

10.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References