Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

Plan PatchCVSS 7CVE-2026-32224Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A use-after-free vulnerability in Windows Server Update Service allows a local user with standard privileges to escalate to system-level privileges. The vulnerability requires local code execution but does not require elevated initial credentials. Microsoft rates exploitation as unlikely and has released a patch in the 2026-Apr security update.

What this means

What could happen

An attacker with local access to a Windows 11 system could exploit this flaw in Windows Server Update Service to gain elevated system privileges, potentially allowing them to modify system settings, access sensitive data, or disrupt normal operations.

Who's at risk

Windows 11 systems (both ARM64 and x64 architectures) that run Windows Server Update Service. This affects system administrators and IT personnel managing Windows 11 environments, particularly those using WSUS for enterprise patch distribution in municipalities or utilities.

How it could be exploited

An attacker with local user account access exploits a use-after-free vulnerability in the Windows Server Update Service process. By crafting malicious input to the WSUS service, the attacker can escalate privileges from a standard user account to system-level privileges without user interaction.

Prerequisites

Local user account on the system
WSUS service running and accessible from user-level process
Local code execution capability

local attack onlyrequires user account accessaffects system administration capabilitiesno active exploitation reported

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1836

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the 2026-Apr Microsoft security update to Windows 11 Build 10.0.28000.1836 or later

CVEs (1)

CVE-2026-32224

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4b786d77-d965-45bd-adb4-cfa989158aec

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.