HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42828Published Modified CNA microsoft

CVE-2026-42828: Windows Projected File System Elevation of Privilege Vulnerability

Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.17763.8880
Affected Products
13

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Buffer over-read in the Windows Projected File System Filter Driver allows a local attacker with a low-privilege account to elevate privileges on affected Windows 10 and Windows 11 systems. The vulnerability is reached locally and requires no interaction from another user, but the attacker must already hold a valid user account on the machine. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection for CVE-2026-42828 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that layer Windows base images. Coverage applies to images pinned to any of the affected version ranges across Windows 10 1809 through Windows 11 26H1.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 (HIGH) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer organization. Triage routing is available to direct findings to the correct team inbox based on workload ownership rules configured in each environment.

Available
Patch

Patched-image rebuilds at the fix versions (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and 10.0.22631.7219) are available on HarborGuard for environments running affected base images. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative rights are needed to trigger the vulnerability.

  • Victim interactionNot required

    No action from another user is required; the attacker can exploit the vulnerability entirely on their own.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or special environmental dependencies required.

Blast Radius

  • A successful attacker reads protected files, credentials, and secrets accessible on the host system.
  • A successful attacker modifies system files, registry entries, or other persisted data on the host.
  • A successful attacker can crash or disable the affected Windows system or its services.
  • Because all three of confidentiality, integrity, and availability are rated High, full compromise of the host is achievable from a standard user context.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image built on an affected Windows base version, covering the full range from Windows 10 1809 through Windows 11 26H1. For environments with auto-remediation enabled, HarborGuard can rebuild affected images at the patched versions, run regression tests, and open a pull request against impacted workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, findings are routed to the configured team inbox with CVSS score, affected image list, and recommended fix version attached. Customers running Windows-based container workloads are encouraged to validate that base images reflect the patched build numbers listed in the fix versions.

See how HarborGuard automates this

Fix available

10.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References