HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42984Published Modified CNA microsoft

CVE-2026-42984: Windows Kernel Elevation of Privilege Vulnerability

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
10.0.17763.8880
Affected Products
13

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Windows Kernel allows a locally authenticated attacker to escalate privileges on affected Windows 10 and Windows 11 systems. Exploitation requires an existing low-privilege account on the target machine and does not require network access or any user interaction, but the exploit is timing-dependent and not trivially reliable. Successful exploitation grants the attacker full control over the affected host, including reading, modifying, or destroying any data on the system. Patched-image rebuilds at the fixed kernel versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected Windows base layers. Any image whose Windows kernel version falls within the affected range is flagged immediately.

Available
Triage

HarborGuard scores this CVE at 7.0 HIGH (CVSS v3.1) and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

Patched-image rebuilds pinned to the fixed versions (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and 10.0.22631.7219, among others) are available for affected images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker must be able to execute code on the machine under an authenticated user context.

  • Victim interactionNot required

    No user interaction is needed; the attacker triggers the vulnerability entirely through their own process without involving another user.

  • Attack complexityDetail

    Exploitation is timing-dependent, likely involving a race condition to trigger the use-after-free window, making the exploit less than fully reliable without tuning.

Blast Radius

  • A successful attacker gains kernel-level privileges, allowing them to read any file, credential store, or memory region on the host regardless of access controls.
  • The attacker can modify kernel data structures, overwrite system files, or install a persistent rootkit that survives reboots.
  • The attacker can crash or halt the operating system at will, taking down all workloads running on the affected host.
  • Any secrets, tokens, or certificates accessible to the operating system (including those held by containerized workloads on the host) are exposed to the attacker.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image built on an affected Windows base layer, scored at 7.0 HIGH and routed per each environment's compliance policy. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the appropriate fixed version, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. For customers who have not enabled auto-remediation, the rebuilt images are available for manual promotion. Until a patched image is deployed, compensating controls to consider include restricting interactive login rights to reduce the pool of accounts that could reach this code path, enforcing process isolation at the container runtime level, and auditing local account permissions to ensure least-privilege access.

See how HarborGuard automates this

Fix available

10.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References