CVE-2026-32080: Windows WalletService Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Apr

Released

2026-04-14

Description

Use after free in Windows WalletService allows an authorized attacker to elevate privileges locally.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Affected Products (9)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2025 (Server Core installation)
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2025
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

Security Updates (5)

• 5082123
• 5082142
• 5082063
• 5082060
• 5082198

Acknowledgments

<a href="https://twitter.com/hillstone_lab">Zhang WangJunJie, He YiSheng</a> with <a href="https://www.hillstonenet.com/">Hillstone Networks</a>

Revision History

• 2026-04-14: Information published.