7

CVE-2022-26904

Warning

Windows User Profile Service Elevation of Privilege Vulnerability

Data is provided by the National Vulnerability Database (NVD)
MicrosoftWindows 10 1507 Version < 10.0.10240.19265
MicrosoftWindows 10 1607 Version < 10.0.14393.5066
MicrosoftWindows 10 1809 Version < 10.0.17763.2803
MicrosoftWindows 10 1909 Version < 10.0.18363.2212
MicrosoftWindows 10 20h2 Version < 10.0.19042.1645
MicrosoftWindows 10 21h1 Version < 10.0.19043.1645
MicrosoftWindows 10 21h2 Version < 10.0.19044.1645
MicrosoftWindows 11 21h2 Version < 10.0.22000.613
MicrosoftWindows 7 Version- Updatesp1
MicrosoftWindows 8.1 Version-
MicrosoftWindows Rt 8.1 Version-
MicrosoftWindows Server 2008 Versionr2 Updatesp1 HwPlatformx64
MicrosoftWindows Server 2016 Version < 10.0.14393.5066
MicrosoftWindows Server 2019 Version < 10.0.17763.2803
MicrosoftWindows Server 2022 Version < 10.0.20348.643
MicrosoftWindows Server 20h2 Version < 10.0.19042.1645

25.04.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vulnerability

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 28.11% 0.963
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.4 3.4 6.4
AV:L/AC:M/Au:N/C:P/I:P/A:P
secure@microsoft.com 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.