What is the Windows User Profile Service?
The Windows User Profile Service (ProfSvc) manages the creation, loading, and management of user profiles on Windows systems. It runs as a privileged system service and handles operations like profile creation during first login, profile roaming, and temporary profile fallback. Because it operates with high privileges and processes user-controlled inputs during login sequences, it is a potential target for race condition exploitation.
Overview
CVE-2022-26904 is a race condition (CWE-362) vulnerability in the Windows User Profile Service. A low-privileged local attacker can win the race condition to escalate privileges to SYSTEM. The high attack complexity (AC:H) reflects the need to time the race condition correctly — but this does not prevent exploitation, as tools can automate race attempts. CISA added the vulnerability to KEV on April 25, 2022, confirming active in-the-wild exploitation.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 (multiple versions) | Yes | April 2022 CU |
| Windows 11 | Yes | April 2022 CU |
| Windows Server 2012 R2 – 2022 | Yes | April 2022 CU |
| Windows 8.1 | Yes | April 2022 CU |
Technical Details
The vulnerability is a time-of-check to time-of-use (TOCTOU) race condition (CWE-362) in how the User Profile Service handles profile loading or creation. The service performs a security check on a resource (e.g., a directory path or registry key), then uses that resource in a privileged operation — but between the check and the use, an attacker with local access can replace or redirect the resource to an attacker-controlled location.
- Attack vector: Local — requires a foothold on the target system
- Privileges required: Low — a standard unprivileged user
- Attack complexity: High — requires winning the race condition; in practice, automated tooling can retry rapidly
- Impact: SYSTEM privilege escalation; full OS control
- Common use: Post-exploitation step after initial access via phishing or RCE
Discovery
Reported to Microsoft through coordinated disclosure. The two-week gap between the patch (April 12) and KEV addition (April 25) is consistent with exploitation being observed or confirmed shortly after patch analysis enabled reconstruction of the vulnerability.
Exploitation Context
Active exploitation confirmed by CISA. Race condition privilege escalation bugs require local execution first, making them second-stage tools in intrusion chains. They are typically used by threat actors who have achieved initial access (via phishing, RCE, or credential theft) and need to escalate to SYSTEM for persistence, credential dumping, or defense evasion.
Remediation
- Apply the April 2022 Patch Tuesday cumulative update for your Windows version
- Prioritize domain controllers, jump servers, and other high-value systems
- Enforce least-privilege access controls to minimize the impact of any initial-access foothold
- Monitor for unexpected SYSTEM-privilege process creation originating from standard user accounts
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-26904 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2022-04-15 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-362 find similar ↗ |
| CISA KEV Added | 2022-04-25 |
| CISA KEV Deadline | 2022-05-16 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-04-12 | Microsoft patches CVE-2022-26904 in April 2022 Patch Tuesday |
| 2022-04-15 | CVE published |
| 2022-04-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-16 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2022-26904 | Vendor Advisory |
| NVD — CVE-2022-26904 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |