HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42910Published Modified CNA microsoft

CVE-2026-42910: Windows Hotpatch Monitoring Service Elevation of Privilege Vulnerability

Out-of-bounds write in Windows Hotpatch Monitoring Service allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.26100.8655
Affected Products
5

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability affects the Windows Hotpatch Monitoring Service on Windows 11 (versions 24H2, 25H2, and 26H1) and Windows Server 2025. The flaw is exploitable locally by an attacker who already holds a low-privilege account on the target system, with no network exposure and no user interaction required. Successful exploitation gives the attacker full control over the affected system, including the ability to read, modify, or destroy data and disrupt running services. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection of CVE-2026-42910 is available across every HarborGuard environment, with the CVE matched against customer images (including custom-built Windows-based container images) within minutes of ingestion from upstream advisory feeds. Any image whose OS layer falls within the affected version ranges for Windows 11 24H2, 25H2, 26H1, or Windows Server 2025 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 base score and can apply per-environment compliance policy weighting to adjust priority, for example elevating urgency in environments where Windows Server 2025 workloads run with interactive user sessions. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at the applicable fix version (10.0.26100.8655, 10.0.26100.32995, 10.0.26200.8655, or 10.0.28000.2269 depending on the affected OS variant) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to trigger the vulnerability.

  • Victim interactionNot required

    No action from another user or administrator is needed; the attacker can trigger the vulnerability entirely on their own.

  • Attack complexityDetail

    Exploitation is reliable and condition-free, with no race conditions or specific memory layout requirements to satisfy.

Blast Radius

  • Reads sensitive data accessible to the SYSTEM account, including credentials, configuration secrets, and application data stored on the host.
  • Modifies or overwrites files, registry keys, and process memory beyond what the attacker's original low-privilege account is permitted to touch.
  • Crashes or terminates services running on the affected host, causing service disruption for workloads dependent on that system.
  • Installs persistent mechanisms or injects code into privileged processes, enabling continued access beyond the initial exploit.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42910 runs against every image in a customer's registry and CI pipeline, covering Windows 11 and Windows Server 2025 base layers within the affected version ranges. For environments where the OS layer version falls below the relevant fix threshold, a patched-image rebuild at the corrected version is available once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS scoring and policy-weighted priority so the owning team can act manually. Given that exploitation requires only a local low-privilege account (a realistic condition in multi-tenant or shared-host deployments), prompt patching is the primary recommended control.

See how HarborGuard automates this

Fix available

10.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References