CVE-2026-21237 – A race condition vulnerability in Windows Subsy... (How to Fix)

Q: What is the severity of CVE-2026-21237?

CVE-2026-21237 has a CVSS score of 7.0 (HIGH). A race condition vulnerability in Windows Subsystem for Linux allows authenticated local attackers to escalate privileges by exploiting improper synchronization of shared resources. This affects Windows systems running WSL where an attacker has initial access. The vulnerability enables elevation from user to higher privileges within the WSL environment.

📋 TL;DR

A race condition vulnerability in Windows Subsystem for Linux allows authenticated local attackers to escalate privileges by exploiting improper synchronization of shared resources. This affects Windows systems running WSL where an attacker has initial access. The vulnerability enables elevation from user to higher privileges within the WSL environment.

💻 Affected Systems

Products:

Windows Subsystem for Linux
Windows 10
Windows 11

Versions: Specific affected versions not specified in CVE description; likely multiple WSL versions prior to patch

Operating Systems: Windows 10, Windows 11

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WSL to be installed and enabled. Systems without WSL are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation to root/SYSTEM level, enabling installation of persistent malware, data theft, and lateral movement.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, access sensitive files, and execute arbitrary code with elevated permissions.

🟢

If Mitigated

Limited impact with proper access controls, monitoring, and minimal user privileges reducing attack surface.

🌐 Internet-Facing: LOW - Requires local access and authentication to exploit.

🏢 Internal Only: HIGH - Significant risk in environments where users have local access and WSL is enabled.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Race condition exploitation requires precise timing and local access. No public exploit code mentioned in initial disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Specific version not provided in CVE; check Microsoft Security Update Guide

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21237

Restart Required: Yes

Instructions:

1. Open Windows Update Settings. 2. Check for updates. 3. Install all available security updates. 4. Restart system if prompted. 5. Verify WSL is updated via 'wsl --version'.

🔧 Temporary Workarounds

Disable WSL

windows

Completely disable Windows Subsystem for Linux if not required

wsl --shutdown
dism.exe /online /disable-feature /featurename:Microsoft-Windows-Subsystem-Linux

Restrict WSL Access

windows

Limit which users can access WSL through group policy

🧯 If You Can't Patch

Implement strict least privilege access controls to limit user permissions
Enable enhanced monitoring and logging for WSL activities and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if WSL is enabled and system has not received latest Windows security updates

Check Version:

wsl --version

Verify Fix Applied:

Verify Windows Update history shows latest security patches installed and run 'wsl --version' to check WSL version

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation events in Windows Security logs
Multiple rapid WSL process creations
Failed then successful privilege elevation attempts

Network Indicators:

Local process communication anomalies
Unexpected outbound connections from WSL processes

SIEM Query:

EventID=4688 AND ProcessName LIKE '%wsl%' AND NewProcessName LIKE '%sudo%' OR EventID=4672 AND SubjectUserName NOT IN (expected_admin_users)

📊 Metadata

CVE ID: CVE-2026-21237

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

EPSS Score: 0.02% exploit probability (5.4th percentile)

Published: February 10, 2026

Last Updated: February 11, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21237 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21237, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WSL

Restrict WSL Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities