CVE-2026-42902: Microsoft PowerToys Elevation of Privilege Vulnerability
Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- v0.99.1
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An improper authorization vulnerability in Microsoft PowerToys allows a local attacker with a standard user account to elevate their privileges on the affected system. The attack requires only local access and a low-privilege account; no network exposure or victim interaction is needed. Successful exploitation grants the attacker high-level control over confidentiality, integrity, and availability of the system. A patched-image rebuild at v0.99.1 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-42902 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle Microsoft PowerToys versions prior to v0.99.1.
AvailableTriage is available with CVSS v3.1 scoring applied at a score of 7.8 (HIGH), weighted against each customer organization's per-environment compliance policy. Routing to the appropriate team inbox within each customer org is handled automatically based on policy configuration.
AvailableA patched-image rebuild at v0.99.1 is available on HarborGuard for any environment found running an affected version of Microsoft PowerToys. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
A low-privilege local account is sufficient; any standard user credential satisfies this requirement.
- Victim interactionNot required
No action from another user or administrator is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or environmental factors that the attacker must manipulate.
Blast Radius
- The attacker reads files, credentials, or secrets that are restricted to higher-privilege accounts on the host.
- The attacker modifies system files, configurations, or persisted data beyond the scope of their original user account.
- The attacker crashes or disrupts services running on the host, including those owned by other users or the operating system.
- Combined control over confidentiality, integrity, and availability gives the attacker effective full-system compromise from a standard user starting point.
How HarborGuard Handles This
Available on HarborGuard: detection, triage, and rebuild capabilities for CVE-2026-42902 are active across all connected environments. For images confirmed to include Microsoft PowerToys below v0.99.1, a rebuilt image at the fix version becomes available automatically once the scan match is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a PR against affected workloads; for high-severity issues like this one, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the patched rebuild is staged and the relevant team inbox is notified for review.
- Microsoft / Microsoft PowerToys< v0.99.1 (from 0.1)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C