Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacke...
Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: AdGuard
PRODUCT: AdGuard Home
AFFECTED_VERSIONS: Prior to 0.107.73
---END_METADATA---
Description Summary:
AdGuard Home is vulnerable to an unauthenticated authentication bypass via HTTP/2 cleartext (h2c) upgrades, allowing attackers to process requests as fully authenticated.
Executive Summary:
A critical authentication bypass in AdGuard Home allows unauthenticated attackers to gain full administrative access by exploiting a flaw in HTTP/2 protocol handling.
Vulnerability Details
CVE-ID: CVE-2026-32136
Affected Software: AdGuard Home
Affected Versions: Prior to 0.107.73
Vulnerability: The vulnerability exists in the way AdGuard Home handles HTTP/1.1 requests that upgrade to HTTP/2 cleartext (h2c). The resulting connection bypasses the authentication middleware, allowing all subsequent HTTP/2 requests on that connection to be treated as fully authenticated without any credentials.
Business Impact
Attackers can gain complete control over network-wide ad-blocking and DNS settings, enabling them to redirect traffic to malicious sites or disable security protections. The CVSS score of 9.8 reflects the high severity of losing administrative control over a central network security component.
Remediation Plan
Immediate Action: Update AdGuard Home to version 0.107.73 or later to resolve the authentication middleware flaw.
Proactive Monitoring: Check logs for HTTP/1.1 to h2c upgrade requests and review DNS configuration history for unauthorized changes.
Compensating Controls: Disable HTTP/2 cleartext support if possible, or use a reverse proxy that properly handles authentication before passing traffic to the AdGuard Home service.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Mar 11, 2026, there is no public information indicating active exploitation. This protocol-level bypass is sophisticated but highly effective, making it a critical risk for internet-facing instances.
Analyst Recommendation
Immediate patching is required to prevent unauthorized administrative access. Organizations and home users should ensure their AdGuard Home instances are updated to version 0.107.73 and should avoid exposing the management interface to the public internet.