HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42974Published Modified CNA microsoft

CVE-2026-42974: Windows Performance Monitor Remote Code Execution Vulnerability

Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
10.0.20348.5256
Affected Products
8

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow vulnerability in Windows Performance Monitor allows a remote, unauthenticated attacker to execute arbitrary code on affected systems over the network. The flaw is triggered by sending malformed input that causes an arithmetic wraparound, corrupting memory in a way that redirects execution. Successful exploitation gives the attacker full code execution on the host, with potential for data theft, tampering, and service disruption. Patched-image rebuilds at the fixed versions are available on HarborGuard for environments running affected Windows Server base images.

HarborGuard Coverage

Detection

Detection of CVE-2026-42974 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Microsoft and NVD advisory feeds. Coverage extends to custom-built images that layer on affected Windows Server base versions, not just images pulled directly from public registries.

Available
Triage

HarborGuard is capable of scoring this CVE at 8.1 HIGH (CVSS v3.1) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within a customer org is available based on image ownership and policy configuration.

Available
Patch

Patched-image rebuilds at versions 10.0.20348.5256, 10.0.22631.7219, 10.0.26100.8655, 10.0.26100.32995, and 10.0.26200.8655 are available on HarborGuard for environments running affected base images. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Windows Performance Monitor service over the network; the service must be exposed to the attacker's origin.

  • AuthenticationNot required

    No account or credentials are needed; the vulnerability is reachable by any unauthenticated network caller.

  • Victim interactionNot required

    No user action is required; the attacker triggers the vulnerability without any participation from a logged-in user.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions or timing constraints beyond simple delivery of a malformed request.

Blast Radius

  • A successful attacker achieves arbitrary code execution in the context of the Windows Performance Monitor service process.
  • Confidentiality impact is high: the attacker can read process memory, credentials, or any data accessible to the service account.
  • Integrity impact is high: the attacker can write or modify files, registry keys, and in-memory data on the host.
  • Availability impact is high: the attacker can crash the service or destabilize the host, interrupting monitoring and dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image built on an affected Windows Server base layer (Windows Server 2022 below 10.0.20348.5256, Windows Server 2025 below 10.0.26100.32995, or the corresponding Windows 11 versions). Because this is rated HIGH severity with a network-reachable, zero-authentication attack path, it is prioritized at the top of the triage queue. Where compliance policy permits, auto-remediation customers receive a rebuilt image at the appropriate fixed version, a regression-test run, and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Customers who manage their own patch cycle can use HarborGuard's policy controls to enforce a hard block on deployment of images carrying this CVE until an updated base image is confirmed.

See how HarborGuard automates this

Fix available

10.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References