CVE-2022-26904 Overview
CVE-2022-26904 is an elevation of privilege vulnerability affecting the Windows User Profile Service across a wide range of Microsoft Windows operating systems. This vulnerability allows a local attacker with low privileges to exploit a race condition in the User Profile Service to gain elevated SYSTEM-level privileges on the targeted system.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation allows attackers to escalate from a low-privileged user account to SYSTEM privileges, enabling complete control over the affected Windows system.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 20H2, 21H1, 21H2)
- Microsoft Windows 11 21H2
- Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1
- Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 20H2
Discovery Timeline
- April 15, 2022 - CVE-2022-26904 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2022-26904
Vulnerability Analysis
CVE-2022-26904 is a race condition vulnerability (CWE-362) in the Windows User Profile Service, a core Windows component responsible for loading and unloading user profiles during login and logout operations. The vulnerability exists due to improper synchronization when the User Profile Service handles certain operations, creating a time-of-check to time-of-use (TOCTOU) window that can be exploited.
The attack requires local access and low privileges, meaning an attacker must first gain initial access to the target system. However, once present, the attacker can leverage this vulnerability to escalate privileges to SYSTEM level. The exploitation complexity is high due to the nature of race conditions, which require precise timing to successfully exploit. No user interaction is required for exploitation.
This vulnerability is particularly concerning for enterprise environments where users have limited privileges, as it provides a reliable path from standard user to full administrative control. Organizations with multi-user Windows systems, including terminal servers and shared workstations, face increased risk.
Root Cause
The root cause of CVE-2022-26904 is a race condition (CWE-362) in the Windows User Profile Service. Race conditions occur when the behavior of software depends on the sequence or timing of uncontrollable events, leading to unexpected states. In this case, the User Profile Service fails to properly synchronize access to shared resources during profile operations, allowing an attacker to manipulate the timing of these operations to gain elevated privileges.
The vulnerability specifically relates to how the service handles temporary profile directories and symbolic links. When certain profile operations are performed, there is a brief window where an attacker can redirect file operations to arbitrary locations with SYSTEM privileges.
Attack Vector
The attack vector for CVE-2022-26904 is local, requiring the attacker to have pre-existing access to the target Windows system with a low-privileged user account. The exploitation process involves:
- Initial Access: The attacker must first obtain a foothold on the target system with at least low-level user privileges
- Race Condition Setup: The attacker creates symbolic links and prepares the environment to exploit the timing window
- Trigger Condition: The attacker triggers User Profile Service operations that are vulnerable to the race condition
- Privilege Escalation: By winning the race, the attacker redirects privileged file operations to attacker-controlled locations
- SYSTEM Access: Successful exploitation results in code execution with SYSTEM privileges
The exploitation mechanism leverages the inherent timing vulnerabilities in the User Profile Service's handling of directory junctions and symbolic links during profile operations. Technical details can be found in the Microsoft Security Update Guide.
Detection Methods for CVE-2022-26904
Indicators of Compromise
- Unusual symbolic link or directory junction creation in user profile directories or C:\Users\ path
- Unexpected process execution with SYSTEM privileges originating from low-privileged user sessions
- Abnormal User Profile Service (ProfSvc) activity or crashes
- Creation of suspicious files or directories in Windows profile-related locations
- Event logs showing privilege escalation patterns following profile service operations
Detection Strategies
- Monitor for symbolic link and junction point creation in profile-related directories using file system monitoring tools
- Implement behavioral detection for race condition exploitation patterns, particularly rapid file system operations followed by privilege changes
- Enable and monitor Windows Security Event logs for Event ID 4688 (process creation) with unusual parent-child process relationships
- Deploy endpoint detection and response (EDR) solutions configured to detect privilege escalation techniques
Monitoring Recommendations
- Configure SIEM alerts for anomalous User Profile Service behavior and related process activity
- Monitor for unauthorized SYSTEM-level process spawning from user-context operations
- Implement file integrity monitoring on critical Windows profile directories
- Review Security logs for patterns indicating TOCTOU exploitation attempts
How to Mitigate CVE-2022-26904
Immediate Actions Required
- Apply Microsoft security updates released in April 2022 Patch Tuesday immediately
- Prioritize patching for systems where users have local access, particularly terminal servers and shared workstations
- Audit systems to identify any indicators of prior exploitation
- Implement network segmentation to limit lateral movement potential if exploitation occurs
- Enable additional logging and monitoring for User Profile Service activity
Patch Information
Microsoft has released security updates to address CVE-2022-26904 as part of the April 2022 security updates. Organizations should apply the appropriate cumulative update for their Windows version through Windows Update, Windows Server Update Services (WSUS), or Microsoft Update Catalog. Detailed patch information and download links are available in the Microsoft Security Update Guide.
Given this vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, federal agencies and organizations following CISA guidance should treat patching as an urgent priority.
Workarounds
- Restrict local user access to systems where possible until patches can be applied
- Implement application control policies to prevent unauthorized executable execution
- Use Windows Defender Credential Guard to limit the impact of credential theft following exploitation
- Deploy SentinelOne endpoint protection with Behavioral AI to detect and block privilege escalation attempts
- Consider temporary removal of non-essential local user accounts on critical systems
# Verify patch installation status for April 2022 updates
# Check for installed updates using PowerShell
Get-HotFix | Where-Object {$_.InstalledOn -ge "2022-04-01"} | Select-Object HotFixID, InstalledOn, Description
# Enable enhanced auditing for file system operations
auditpol /set /subcategory:"File System" /success:enable /failure:enable
# Monitor User Profile Service status
sc query ProfSvc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
