HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-42904Published Modified CNA microsoft

CVE-2026-42904: Windows TCP/IP Elevation of Privilege Vulnerability

Heap-based buffer overflow in Windows TCP/IP allows an unauthorized attacker to elevate privileges over an adjacent network.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
10.0.19044.7417
Affected Products
10

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in the Windows TCP/IP stack affects multiple versions of Windows 10, Windows 11, and Windows Server 2022. An attacker on the same network segment (LAN, VPN, or adjacent subnet) can trigger the overflow without any credentials or victim interaction, gaining elevated privileges on the target system. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected host, with scope extending beyond the vulnerable component. Patched-image rebuilds at the fix versions listed above are available on HarborGuard for environments running affected Windows-based container images.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-42904 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built Windows container images derived from affected base versions.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.6 (Critical) and weighting it against each environment's compliance policy before routing alerts to the appropriate team inbox within each customer organization.

Available
Patch

For environments running an affected Windows image version, a patched-image rebuild at the applicable fix version (for example, 10.0.19045.7417 for Windows 10 22H2 or 10.0.20348.5256 for Windows Server 2022) becomes available on HarborGuard as soon as the upstream update is ingested. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on an adjacent network segment (local network, VPN, or shared subnet); the vulnerability is not reachable from the open internet without that adjacency.

  • AuthenticationNot required

    No credentials or account of any kind are needed; the attacker sends malformed TCP/IP traffic without authenticating to the target.

  • Victim interactionNot required

    The target does not need to open a file, click a link, or take any action for exploitation to succeed.

  • Attack complexityDetail

    The exploit is reliable and requires no special preconditions, race conditions, or knowledge of memory layout; any attacker with network adjacency can attempt it consistently.

Blast Radius

  • A successful attacker elevates from an unprivileged adjacent-network position to a privileged execution context on the target host.
  • All data accessible to the compromised TCP/IP process is exposed, including network traffic, credentials cached in memory, and configuration secrets.
  • The attacker gains write access to system state, enabling modification of routing tables, firewall rules, or persisted files on the host.
  • The scope extends beyond the vulnerable component itself, meaning an attacker can affect other processes and resources on the same host, including container management layers.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image built on an affected Windows base version, covering both images pulled from public registries and custom images built internally. Triage is handled automatically using the CVSS 9.6 Critical score, weighted against each environment's compliance policy, with alerts routed to the configured team inbox. For environments running affected versions of Windows 10, Windows 11, or Windows Server 2022 base images, a patched rebuild at the corresponding fix version becomes available as soon as the upstream update is ingested. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or network architecture prevents immediate patching, consider isolating affected Windows hosts behind network policy rules that restrict adjacent-network access to the TCP/IP service until the patched image can be deployed.

See how HarborGuard automates this

Fix available

10.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
References