CVE-2026-42916: NT OS Kernel Elevation of Privilege Vulnerability
Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
An integer underflow (wrap-around) vulnerability in the Windows NT OS Kernel allows a locally authenticated attacker to elevate their privileges on the affected host. The attacker must already have a low-privilege account and local access; no network path or user interaction is involved. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the system, effectively granting kernel-level privileges. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection of CVE-2026-42916 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built Windows-based container images. Any image whose base layer carries an affected NT kernel build version is flagged automatically.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 7.8 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on ownership tags and policy configuration.
AvailableA patched-image rebuild at the applicable fix version (for example, 10.0.14393.9234 for Windows 10 1607, or 10.0.26100.8655 for Windows 11 24H2) becomes available on HarborGuard once the upstream patched base image is published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or elevated credentials to trigger the vulnerability.
- Victim interactionNot required
No action from another user or victim is needed; the attacker can execute the exploit entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Reads protected kernel memory, local credential stores, and sensitive process data belonging to other users or the system.
- Modifies kernel data structures, system configurations, and files that are otherwise restricted to privileged processes.
- Terminates or destabilizes kernel-level processes, potentially crashing the host or disrupting all workloads running on it.
- Attains full kernel-level control over the affected Windows host, bypassing all user-space security boundaries.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image whose base layer carries an affected Windows NT kernel build. For environments running an affected version, a patched-image rebuild targeting the appropriate fix version is made available as soon as the upstream patched base image is published by Microsoft. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the dashboard with CVSS 7.8 HIGH severity, and teams can manually trigger the rebuild workflow. Because local privilege is the only prerequisite, compensating controls to consider in the interim include restricting interactive login access to container host nodes, enforcing least-privilege account policies, and applying host-level audit logging to detect unexpected privilege transitions.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C