CVE-2026-42977: Windows Push Notifications Elevation of Privilege Vulnerability
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 10.0.17763.8880
- Affected Products
- 13
HarborGuard Analysis
Synopsis
A race condition in the Windows Push Notifications component allows a locally authenticated attacker to escalate privileges on affected Windows 10 and Windows 11 systems. The vulnerability requires only a low-privilege account and no interaction from other users, but exploiting it depends on winning a timing window in shared-resource handling, which adds some environmental complexity. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability on the system, with scope extending beyond the immediate process boundary. Patched-image rebuilds at the fixed versions are available on HarborGuard for environments running an affected Windows base image.
HarborGuard Coverage
Detection of CVE-2026-42977 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including Microsoft Security Response Center advisories. This matching covers both public base images derived from affected Windows versions and custom-built images that layer on top of them.
AvailableTriage is available using the CVSS v3.1 score of 7.8 (HIGH), with per-environment compliance policy weighting applied to prioritize routing within each customer organization. Issues are surfaced to the appropriate team inbox based on the scope-changed, high-impact nature of this local privilege escalation.
AvailablePatched-image rebuilds at the fix versions (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and 10.0.22631.7219 for the respective Windows releases) are available on HarborGuard for environments running an affected base image. For customers who opt into auto-remediation, HarborGuard performs a rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
- AuthenticationRequired
A low-privilege local account is sufficient; no administrative or elevated credentials are needed before exploitation.
- Victim interactionNot required
The exploit runs entirely under the attacker's control with no action required from any other user.
- Attack complexityDetail
Exploitation depends on winning a race condition over a shared resource, meaning timing and environmental factors affect reliability.
Blast Radius
- A successful attacker gains elevated system-level privileges, breaking out of the original process boundary and affecting other components on the host.
- Confidentiality is fully compromised: the attacker can read any data accessible on the system, including credentials, session tokens, and stored files.
- Integrity is fully compromised: the attacker can write to or modify any resource on the system, including security-sensitive configuration and binaries.
- Availability is fully compromised: the attacker can crash, disable, or otherwise disrupt any service or process running on the affected host.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any customer image based on an affected Windows 10 or Windows 11 version. Because this is a HIGH-severity, scope-changed privilege escalation, it is prioritized accordingly in the triage queue and routed based on each organization's compliance policy. Where compliance policy permits, auto-remediation triggers a rebuild of the affected base image at the appropriate patched version, runs a regression test pass, and opens a PR against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Customers who manage remediation manually will find the patched rebuild staged and ready in their HarborGuard registry view. Because exploitation requires an existing local foothold, compensating controls to consider in the interim include restricting interactive login rights to the affected hosts and enforcing application-control policies that limit which processes can run under low-privilege accounts.
Fix available
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C