Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45597

CVE-2026-45597: Windows 11 23h2 Race Condition Vulnerability

CVE-2026-45597 is a race condition flaw in Windows 11 23h2's UI Automation Manager that enables local privilege escalation through improper synchronization. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-45597 Overview

CVE-2026-45597 is a race condition vulnerability in the Windows UI Automation Manager component (uiamanager.dll). The flaw stems from concurrent execution using a shared resource with improper synchronization [CWE-362]. An authorized local attacker can exploit the timing window to elevate privileges on affected Windows 11 and Windows Server systems. Microsoft has published a security advisory addressing the issue across multiple supported builds.

Critical Impact

A successful exploit grants high impact to confidentiality, integrity, and availability, enabling privilege escalation from an authenticated user context to elevated execution on the local system.

Affected Products

  • Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) on x64 and arm64
  • Microsoft Windows Server 2022
  • Microsoft Windows Server 2025 (x64)

Discovery Timeline

  • 2026-06-09 - CVE-2026-45597 published to the National Vulnerability Database
  • 2026-06-11 - Last updated in NVD

Technical Details for CVE-2026-45597

Vulnerability Analysis

The vulnerability resides in uiamanager.dll, the Windows component that brokers UI Automation requests between accessibility clients and providers. Multiple threads access a shared resource without sufficient synchronization, creating a race condition that an attacker can win to manipulate program state during a narrow timing window. Exploitation requires local access and valid low-privilege credentials, and the attack complexity is high because the attacker must reliably interleave operations against the shared resource.

Root Cause

The root cause is improper synchronization of concurrent execution paths that operate on a shared object within UI Automation Manager. When two threads access and modify the resource without atomic guarantees, an attacker-controlled thread can alter state between a check and the subsequent use, leading to a Time-of-Check Time-of-Use (TOCTOU) condition. The flawed locking discipline enables the attacker to corrupt logic that the broker process relies on to enforce trust boundaries.

Attack Vector

The attack vector is local. An attacker who already holds an authenticated user account on the target host must execute code that races the UI Automation Manager's internal state transitions. Successful exploitation produces high-integrity execution, granting privilege escalation suitable for persistence, credential theft, or lateral movement. No user interaction is required beyond the attacker's own session.

No public exploit code has been observed at the time of publication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft Security Update CVE-2026-45597 advisory for vendor-confirmed technical context.

Detection Methods for CVE-2026-45597

Indicators of Compromise

  • Unexpected child processes spawned by svchost.exe instances hosting UI Automation services, particularly those running under elevated tokens after originating from a standard user session.
  • Anomalous handle activity or repeated, rapid invocations against uiamanager.dll from non-accessibility applications.
  • Creation of new privileged services, scheduled tasks, or local administrator accounts shortly after suspicious UI Automation client activity.

Detection Strategies

  • Monitor for token elevation events (Windows Event ID 4673, 4688) where the parent process is a standard-user application and the child runs at SYSTEM or High integrity.
  • Hunt for processes loading uiamanager.dll that are not signed Microsoft accessibility tools or known UI Automation consumers.
  • Correlate rapid, repeated COM calls into UI Automation interfaces with subsequent privilege transitions in the same logon session.

Monitoring Recommendations

  • Ensure endpoint telemetry captures DLL loads, image loads, and process integrity-level changes on all Windows 11 and Server 2022/2025 hosts.
  • Forward Sysmon Event IDs 1, 7, 10, and 11 to a central analytics platform for correlation against UI Automation activity.
  • Establish a baseline for legitimate accessibility software in the environment so deviations stand out during threat hunts.

How to Mitigate CVE-2026-45597

Immediate Actions Required

  • Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-45597 to all affected Windows 11 and Windows Server builds.
  • Inventory endpoints by build (23H2, 24H2, 25H2, 26H1, Server 2022, Server 2025) and prioritize multi-user hosts, jump servers, and developer workstations.
  • Restrict interactive logon rights on sensitive systems to reduce the population of users who can attempt local privilege escalation.

Patch Information

Microsoft has released fixes through the standard Windows Update channel. Validate deployment by confirming the patched uiamanager.dll version on representative hosts and reviewing the MSRC update guide entry for each affected SKU.

Workarounds

  • No vendor-supplied workaround replaces the patch; treat the security update as the only complete remediation.
  • As a compensating control, enforce least privilege and remove unnecessary local accounts from systems pending patch deployment.
  • Apply application control policies (Windows Defender Application Control or AppLocker) to limit which binaries can execute in user sessions and reduce the pool of code able to trigger the race.
bash
# Verify patched uiamanager.dll version on a host
Get-Item C:\Windows\System32\uiamanager.dll | Select-Object VersionInfo

# Enumerate Windows builds across the fleet to prioritize patching
Get-WmiObject Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.