PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-20921 Microsoft CVE debrief

A race condition vulnerability in Windows SMB Server allows an authorized attacker to elevate privileges over a network. The flaw stems from concurrent execution using a shared resource with improper synchronization (CWE-362). Microsoft has assigned this a CVSS 3.1 score of 7.5 (HIGH severity). The vulnerability was published on January 13, 2026, with the record last modified on May 26, 2026. Affected products span multiple Windows client and server versions, including Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2), Windows Server 2008 SP2/R2 SP1, Windows Server 2012/R2, Windows Server 2016, 2019, 2022, 2022 23H2, and Windows Server 2025. Notably, Windows Server 2008 and 2012 versions are listed as vulnerable without specified patch versions, suggesting these may be out-of-support platforms requiring extended security updates or mitigation. The attack requires network access, low privileges, and no user interaction, though attack complexity is rated as high. Successful exploitation could result in complete compromise of confidentiality, integrity, and availability.

Vendor
Microsoft
Product
Windows 10 Version 1607
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-13
Original CVE updated
2026-05-26
Advisory published
2026-01-13
Advisory updated
2026-05-26

Who should care

System administrators managing Windows Server infrastructure, security teams responsible for patch management programs, organizations with legacy Windows Server 2008/2012 deployments, and defenders monitoring for privilege escalation techniques in SMB environments

Technical summary

The vulnerability exists in the Windows SMB Server implementation where improper synchronization during concurrent execution creates a race condition. An attacker with low-privileged network access can exploit this timing-dependent flaw to elevate privileges. The high attack complexity (AC:H) suggests successful exploitation requires precise timing or specific conditions. The vulnerability is particularly concerning for environments with SMB exposed across network segments, as the attack vector is network-based (AV:N) with no user interaction required (UI:N). Impact is severe across all CIA triad components, enabling complete system compromise post-exploitation.

Defensive priority

HIGH

Recommended defensive actions

  • Apply security updates from Microsoft for all affected Windows versions, prioritizing domain controllers and file servers with SMB exposed to internal networks
  • For Windows Server 2008 and 2012 systems without available patches, implement network segmentation to restrict SMB access to authorized hosts only, or migrate to supported platforms
  • Enable SMB signing and encryption to reduce attack surface, though this does not eliminate the vulnerability
  • Monitor for anomalous privilege escalation activities and SMB session anomalies using endpoint detection and response (EDR) tools
  • Review and apply detection guidance from security community resources where available

Evidence notes

CWE-362 (Race Condition) confirmed via Microsoft MSRC advisory. CVSS vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network-based attack with high complexity but significant impact. CPE data confirms broad Windows version coverage including end-of-life server platforms

Official resources

Microsoft disclosed this vulnerability via their Security Response Center on January 13, 2026. The CVE record was subsequently modified on May 26, 2026, indicating potential updates to affected product ranges or additional technical details