CVE-2026-32091: Windows 10 1607 Privilege Escalation Flaw

CVE-2026-32091 Overview

CVE-2026-32091 is a race condition vulnerability in the Microsoft Brokering File System affecting Windows desktop and server operating systems. The flaw stems from concurrent execution using a shared resource with improper synchronization [CWE-362]. A locally authenticated attacker can win a timing race against the Brokering File System to elevate privileges on the affected host. Microsoft published the advisory on April 14, 2026, and the issue impacts supported Windows 10, Windows 11, and Windows Server releases.

Critical Impact

Successful exploitation grants high impact to confidentiality, integrity, and availability, allowing an attacker with low privileges to escalate to elevated rights on the local system.

Affected Products

• Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64 builds
• Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64 builds
• Microsoft Windows Server 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

• 2026-04-14 - CVE-2026-32091 published to NVD
• 2026-04-14 - Microsoft releases security update via MSRC advisory
• 2026-04-21 - Last updated in NVD database

Technical Details for CVE-2026-32091

Vulnerability Analysis

The Brokering File System (bfs.sys) brokers file operations between user-mode callers and protected file system resources on Windows. Improper synchronization of access to a shared resource introduces a Time-of-Check Time-of-Use (TOCTOU) window. An attacker running code in a low-privileged context can trigger the broker repeatedly while concurrently mutating state that the broker assumes is stable. When the race is won, the broker performs a privileged action using attacker-controlled inputs.

The vulnerability requires local access and low privileges, but no user interaction. Microsoft rates attack complexity as high because exploitation depends on consistently winning a narrow timing window. The EPSS score of 0.041% reflects a low predicted likelihood of public exploitation in the near term, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog at this time.

Root Cause

The root cause is missing or insufficient synchronization around a shared object accessed by the Brokering File System. Two or more code paths can operate on the same handle, path, or descriptor without serialization, violating the atomicity required between validation and use. This class of flaw is tracked as [CWE-362] concurrent execution using shared resource with improper synchronization.

Attack Vector

Exploitation proceeds locally. An attacker with a standard user account runs a process that repeatedly invokes file operations brokered by the vulnerable component. A second thread mutates the resource between the broker's validation and its privileged use. When the race resolves in the attacker's favor, the broker acts on a substituted resource, allowing the attacker to write, redirect, or execute under the broker's elevated context. The result is local privilege escalation to SYSTEM-equivalent rights.

No public proof-of-concept code is available at the time of writing. Technical details are limited to the Microsoft Security Update CVE-2026-32091 advisory.

Detection Methods for CVE-2026-32091

Indicators of Compromise

• Unexpected child processes of svchost.exe or Brokering File System components running with SYSTEM integrity after being spawned by a standard user session.
• File system reparse point or symbolic link creations in user-writable directories immediately preceding a privilege transition.
• High-rate, repeated invocations of file broker APIs from a single low-privileged process, characteristic of race-window grinding.

Detection Strategies

• Hunt for token elevation events (Windows Security Event ID 4672) tied to processes launched from non-administrative parents within short time windows.
• Correlate Sysmon Event ID 1 (process create) and Event ID 11 (file create) sequences that show rapid file replacement adjacent to broker activity.
• Apply behavioral detections for known local privilege escalation patterns: standard user process followed by SYSTEM-level write to protected paths.

Monitoring Recommendations

• Forward Windows Security, Sysmon, and kernel telemetry to a centralized analytics platform for cross-event correlation.
• Baseline normal use of file broker APIs per host and alert on statistical outliers in call volume or thread contention.
• Track patch deployment status of the April 2026 Microsoft security updates across all Windows endpoints and servers.

How to Mitigate CVE-2026-32091

Immediate Actions Required

• Apply the April 2026 Microsoft security update referenced in the MSRC advisory for CVE-2026-32091 to all affected Windows 10, Windows 11, and Windows Server systems.
• Prioritize patching on multi-user systems, terminal servers, and developer workstations where untrusted local code is most likely to execute.
• Audit local accounts and remove unnecessary interactive logon rights to reduce the population of users able to attempt local exploitation.

Patch Information

Microsoft has released cumulative updates addressing CVE-2026-32091 for all supported Windows client and server versions listed in the affected products. Refer to the Microsoft Security Update Guide entry for CVE-2026-32091 for the specific KB article corresponding to each Windows build.

Workarounds

• No vendor-supplied workaround is documented; installing the security update is the supported remediation.
• Enforce application control policies such as Windows Defender Application Control or AppLocker to prevent unauthorized binaries from executing in user contexts.
• Restrict local logon and Remote Desktop access to trusted administrative accounts until patching is complete.

# Verify the relevant security update is installed on a Windows host
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10

# Confirm patch level against the build expected after the April 2026 update
[System.Environment]::OSVersion.Version