HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42979Published Modified CNA microsoft

CVE-2026-42979: Windows Push Notifications Elevation of Privilege Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.17763.8880
Affected Products
13

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A race condition in the Windows Push Notifications subsystem allows a low-privileged local attacker to escalate to higher privileges on affected Windows 10 and Windows 11 systems. The flaw is reached locally and requires no interaction from other users, but the attacker must win a timing-dependent race over a shared resource. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the system. Patched-image rebuilds at the fixed versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection for CVE-2026-42979 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that layer on affected Windows base versions. Any image whose Windows build number falls within the vulnerable ranges for Windows 10 1809 through Windows 11 26H1 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting that score against each customer environment's compliance policy to determine priority. Triage findings are routable to the appropriate team inbox inside each customer org based on configured ownership rules.

Available
Patch

Patched-image rebuilds pinned to the fixed Windows build numbers (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and 10.0.22631.7219 as applicable) are available on HarborGuard for affected images. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative credentials.

  • Victim interactionNot required

    No other user needs to open a file, click a link, or take any action for the exploit to proceed.

  • Attack complexityDetail

    Exploitation depends on winning a timing-sensitive race condition over a shared resource, making reliable triggering conditional on environmental factors and retry attempts.

Blast Radius

  • A successful attacker gains elevated privileges and reads sensitive data accessible to higher-privileged processes, including credentials and session material stored by the OS.
  • The attacker can write to protected system resources, modify configuration, or install persistent payloads that survive reboots.
  • The attacker can crash or destabilize system services, causing denial of service for users on the affected host.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against customer images continuously, covering any Windows base image in the affected build ranges. Where compliance policy permits auto-remediation, HarborGuard can rebuild affected images at the applicable fixed build version, run a regression test suite, and open a pull request against workloads using the vulnerable base layer. For high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Because this is a local privilege escalation requiring an existing foothold, customers without auto-remediation enabled may also consider network-policy controls that limit lateral movement from compromised hosts as a compensating measure while scheduling manual remediation.

See how HarborGuard automates this

Fix available

10.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
References