CVE-2026-42980: NT OS Kernel Elevation of Privilege Vulnerability
Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
An integer underflow (wrap-around) vulnerability in the Windows NT OS Kernel allows a locally authenticated attacker to elevate privileges on affected Windows 10 and Windows 11 systems. The attacker must already have a low-privilege account on the target host; no network access or user interaction is required. Successful exploitation grants full control over the system, including the ability to read, modify, or destroy any data and crash the operating system. Patched-image rebuilds at the fixed kernel versions are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection of CVE-2026-42980 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication against upstream feed ingestion, covering both public base images and custom-built Windows container images in customer registries and CI pipelines. Any image layered on an affected Windows 10 or Windows 11 base is flagged automatically without requiring manual rule configuration.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to determine urgency and routing. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at the applicable fix version (for example, 10.0.14393.9234 for Windows 10 1607 or 10.0.26100.8655 for Windows 11 24H2) becomes available on HarborGuard once the upstream patched base layer is published. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative credentials.
- Victim interactionNot required
No action from another user or administrator is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or specific memory layout dependencies required.
Blast Radius
- A successful attacker gains kernel-level privileges, allowing them to read any data on the system including credentials, secrets, and protected memory.
- The attacker can modify or overwrite any file, registry key, or system configuration on the host.
- The attacker can install persistent backdoors or tamper with security tooling running on the host.
- The attacker can crash the operating system or any running process, causing a full denial of service.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-42980 is active against all customer images containing affected Windows NT kernel versions across Windows 10 (1607 through 22H2) and Windows 11 (23H2 through 25H2). Where compliance policy permits, HarborGuard can initiate a patched-image rebuild pinned to the corrected kernel version, run regression tests against the rebuilt image, and open a pull request against affected workloads. For customers who opt into auto-remediation, median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS scoring and version-range detail so engineering teams can prioritize manually. As a compensating control prior to patching, consider restricting interactive logon rights and confining untrusted code execution through process isolation or application allow-listing policies on affected hosts.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C