How is CVE-2026-42836 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the service is required. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrator or elevated credentials to initiate the exploit. Victim interaction (not-required): No user interaction is needed; the attacker executes the exploit entirely on their own without involving another account or session. Attack complexity (info): Attack complexity is High, meaning the exploit depends on winning a race condition against a shared resource, requiring precise timing or repeated attempts rather than a single reliable trigger.

What is the impact of CVE-2026-42836?

A successful attacker reads any file or credential material on the system, including stored secrets, configuration data, and other users' session tokens. The attacker writes to or modifies any file or registry entry on the system, including security-relevant configurations and audit logs. The attacker crashes or terminates system services, causing denial of service to any process running on the host. Privilege escalation to SYSTEM or equivalent gives the attacker full persistent control over the compromised host.

Back to search

HIGHCVE-2026-42836Published 2026-06-09Modified 2026-06-16CNA microsoft

CVE-2026-42836: Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.

CVSS v3.1: 7.0
Severity: HIGH
Fixed in: 6.2.9200.26132
Affected Products: 20

HarborGuard Analysis

Synopsis

A race condition (concurrent execution against a shared resource without proper synchronization) in the Windows Function Discovery Service (fdwsd.dll) allows a local attacker to escalate their privileges on affected Windows 10 and Windows 11 systems. The attacker must already hold a low-privilege account and execute code locally; no network exposure or victim interaction is required. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the affected system. Patched-image rebuilds at the fix versions listed above are available on HarborGuard for environments running an affected Windows base image.

HarborGuard Coverage

Detection

Detection for CVE-2026-42836 is available across every HarborGuard environment, with the CVE matched against customer images (including custom-built Windows-based images) within minutes of ingestion from upstream advisory feeds. Any container image pulling from an affected Windows base image version is flagged automatically in both registry scans and pipeline-integrated scans.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.0 (High) and weighting that score against each customer environment's compliance policy to determine response priority. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at the applicable fix version (for example, 10.0.19044.7417 for Windows 10 21H2 or 10.0.26100.8655 for Windows 11 24H2) becomes available on HarborGuard once the upstream patched base layer is published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or elevated credentials to initiate the exploit.
Victim interactionNot required
No user interaction is needed; the attacker executes the exploit entirely on their own without involving another account or session.
Attack complexityDetail
Attack complexity is High, meaning the exploit depends on winning a race condition against a shared resource, requiring precise timing or repeated attempts rather than a single reliable trigger.

Blast Radius

A successful attacker reads any file or credential material on the system, including stored secrets, configuration data, and other users' session tokens.
The attacker writes to or modifies any file or registry entry on the system, including security-relevant configurations and audit logs.
The attacker crashes or terminates system services, causing denial of service to any process running on the host.
Privilege escalation to SYSTEM or equivalent gives the attacker full persistent control over the compromised host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42836 is active across all customer environments scanning Windows-based container images, with matching against the affected fdwsd.dll version ranges occurring within minutes of CVE publication. Where a customer image pulls from an affected Windows base layer (any of the version ranges listed in the affected products), HarborGuard flags the image and makes a rebuild at the patched base version available. For customers who have auto-remediation enabled, HarborGuard rebuilds the image at the appropriate fix version, executes a regression run, and opens a pull request against affected workloads; for High-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy or environment constraints prevent auto-remediation, the triage finding is routed to the configured owner inbox so the team can apply the Windows update manually or schedule a base-image refresh.

See how HarborGuard automates this

Fix available

6.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269

Patch commits

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Affected packages

Microsoft / Windows 10 Version 1607
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows 10 Version 1809
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows 10 Version 21H2
< 10.0.19044.7417 (from 10.0.19044.0)
Microsoft / Windows 10 Version 22H2
< 10.0.19045.7417 (from 10.0.19045.0)
Microsoft / Windows 11 version 23H2
< 10.0.22631.7219 (from 10.0.22631.0)
Microsoft / Windows 11 Version 23H2
< 10.0.22631.7219 (from 10.0.22631.0)
Microsoft / Windows 11 Version 24H2
< 10.0.26100.8655 (from 10.0.26100.0)
Microsoft / Windows 11 Version 25H2
< 10.0.26200.8655 (from 10.0.26200.0)
Microsoft / Windows 11 version 26H1
< 10.0.28000.2269 (from 10.0.28000.0)
Microsoft / Windows Server 2012
< 6.2.9200.26132 (from 6.2.9200.0)
Microsoft / Windows Server 2012 (Server Core installation)
< 6.2.9200.26132 (from 6.2.9200.0)
Microsoft / Windows Server 2012 R2
< 6.3.9600.23228 (from 6.3.9600.0)
Microsoft / Windows Server 2012 R2 (Server Core installation)
< 6.3.9600.23228 (from 6.3.9600.0)
Microsoft / Windows Server 2016
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows Server 2016 (Server Core installation)
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows Server 2019
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows Server 2019 (Server Core installation)
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows Server 2022
< 10.0.20348.5256 (from 10.0.20348.0)
Microsoft / Windows Server 2025
< 10.0.26100.32995 (from 10.0.26100.0)
Microsoft / Windows Server 2025 (Server Core installation)
< 10.0.26100.32995 (from 10.0.26100.0)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

References

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available