HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42981Published Modified CNA microsoft

CVE-2026-42981: Windows Performance Monitor Remote Code Execution Vulnerability

Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
10.0.20348.5256
Affected Products
8

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow vulnerability in Windows Performance Monitor allows an unauthenticated remote attacker to execute arbitrary code on affected systems. The flaw is reachable over the network with no credentials required, though exploitation involves meaningful complexity due to race conditions or environmental factors. Successful exploitation gives an attacker full code execution on the target, enabling complete confidentiality, integrity, and availability impact. Patched-image rebuilds at the relevant fix versions are available on HarborGuard for environments running affected Windows Server versions.

HarborGuard Coverage

Detection

Detection for CVE-2026-42981 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle affected Windows components. Coverage extends to both registry scans and CI/CD pipeline checks so affected images are flagged before they reach production.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (High) and can weight that score against each customer organization's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Patched-image rebuilds at versions 10.0.20348.5256, 10.0.22631.7219, 10.0.26100.8655, 10.0.26100.32995, and 10.0.26200.8655 are available on HarborGuard for images running affected Windows Server or Windows 11 builds. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Windows Performance Monitor service over the network; no local access or physical proximity is needed.

  • AuthenticationNot required

    No credentials or account of any privilege level are required to attempt exploitation.

  • Victim interactionNot required

    The attack is fully remote and does not require any action from a user on the target system.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must account for race conditions, specific memory layout, or other environmental factors that are not fully under their control.

Blast Radius

  • A successful attacker executes arbitrary code in the context of the affected Windows service, gaining a foothold on the host.
  • Confidentiality is fully compromised: the attacker can read any data accessible to the exploited process, including credentials, configuration files, and in-memory secrets.
  • Integrity is fully compromised: the attacker can write, modify, or delete files and registry state on the host.
  • Availability is fully compromised: the attacker can crash, hang, or otherwise disable the affected service and dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42981 fires within minutes of CVE publication, matching affected Windows Server and Windows 11 image layers against the published fix-version thresholds. For environments running affected builds, patched-image rebuilds at the upstream fix versions are available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a PR against affected workloads; for High-severity issues, the median time from CVE publication to a merged patch PR is approximately 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual sign-off, triage cards are routed to the designated owner inbox with CVSS context attached. Until a rebuild is deployed, network-policy isolation of hosts exposing the Performance Monitor service and egress filtering to limit lateral reachability are recommended as compensating controls.

See how HarborGuard automates this

Fix available

10.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References