HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42837Published Modified CNA microsoft

CVE-2026-42837: Windows Projected File System Elevation of Privilege Vulnerability

Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.17763.8880
Affected Products
13

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A buffer over-read in the Windows Projected File System (ProjFS) Filter Driver allows a locally authenticated attacker to escalate their privileges on the affected host. The vulnerability is reached locally, meaning the attacker must already have an existing session or process on the machine, and requires only a low-privilege account to trigger. Successful exploitation gives the attacker full control over the system, covering confidentiality, integrity, and availability. Patched-image rebuilds at the fixed Windows build versions are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built Windows-based container images. Any image whose base OS layer falls within the affected Windows 10 or Windows 11 build ranges is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing directs the alert to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the applicable fixed build version becomes available on HarborGuard once the upstream base image is updated. For customers who opt into auto-remediation, HarborGuard can run the rebuild, execute a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing exposure is required to reach the vulnerable driver.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative or elevated credentials are needed before exploitation.

  • Victim interactionNot required

    No action from another user or victim is needed; the attacker triggers the vulnerability entirely on their own.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or environmental dependencies required to succeed.

Blast Radius

  • A successful attacker gains SYSTEM-level or equivalent kernel privileges, taking full control of the host.
  • The attacker can read any file, credential, or secret accessible on the machine, including those belonging to other users and services.
  • The attacker can modify or delete any data on the host, including system files, application state, and persisted records.
  • The attacker can crash, halt, or destabilize the operating system or any service running on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42837 is active across all connected registries and pipelines, matching images against the affected Windows build ranges for each product version listed in the advisory. Where compliance policy permits, patched-image rebuilds at the fixed build versions (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, 10.0.22631.7219, and their counterparts for Windows 11 24H2 and later) are available the moment updated Microsoft base images are published. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Given that exploitation requires only a low-privilege local account, prioritizing this patch for any multi-tenant or shared-host Windows container environment is advisable even before auto-remediation completes.

See how HarborGuard automates this

Fix available

10.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References