HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42987Published Modified CNA microsoft

CVE-2026-42987: Windows Deployment Services (WDS) Remote Code Execution

Use after free in Windows Deployment Services allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
6.2.9200.26132
Affected Products
11

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in Windows Deployment Services (WDS) allows an unauthenticated remote attacker to execute arbitrary code on affected Windows Server systems. The flaw is reachable over the network without any login credentials, though exploitation requires meeting certain environmental conditions reflected in the high attack complexity rating. Successful exploitation gives the attacker full control over code execution, with high impact across confidentiality, integrity, and availability. Patched-image rebuilds at the applicable fix versions (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, and 10.0.20348.5256) are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built Windows Server images. Any image layer or base image corresponding to an affected WDS version is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.1 HIGH using the CVSS v3.1 vector and weights it further against each customer organization's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within the customer org based on policy-defined severity thresholds and asset ownership.

Available
Patch

Patched-image rebuilds at each applicable fix version become available on HarborGuard as soon as the upstream packages are published. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the WDS service over the network; the vulnerability is exposed via a network-accessible endpoint (AV:N).

  • AuthenticationNot required

    No credentials or account of any privilege level are needed to attempt exploitation (PR:N).

  • Victim interactionNot required

    No user action or social engineering is required; the attacker can trigger the vulnerability without any victim participation (UI:N).

  • Attack complexityDetail

    Exploitation is rated high complexity (AC:H), meaning the attacker must satisfy specific environmental conditions such as timing constraints, memory layout dependencies, or race conditions to reliably trigger the use-after-free.

Blast Radius

  • A successful attacker executes arbitrary code in the context of the WDS service process, gaining direct control over the server.
  • The attacker reads sensitive data accessible to the service, including network boot configurations, image payloads, and credential material stored or cached by WDS.
  • The attacker modifies or replaces deployment images and server-side configuration, enabling tampering with OS images delivered to client machines during network boot.
  • The attacker crashes or destabilizes the WDS service, preventing network-based OS deployments across any clients relying on that server.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image built on an affected Windows Server base, covering all eight listed product variants including Server Core installations. For environments where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the appropriate fix version (6.2.9200.26132 for Server 2012, 6.3.9600.23228 for Server 2012 R2, 10.0.14393.9234 for Server 2016, 10.0.17763.8880 for Server 2019), runs a regression test pass, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with the specific fix version required so operators can act manually. Given the network-reachable, no-auth attack surface of WDS, customers are also advised to consider network-policy controls that restrict WDS port exposure (typically UDP 67, 69, and 4011) to authorized provisioning segments as a compensating control until patched images are deployed.

See how HarborGuard automates this

Fix available

6.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.20348.525610.0.26100.32995
Patch commits
Affected packages
  • Microsoft / Windows Server 2012
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 (Server Core installation)
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 R2
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2012 R2 (Server Core installation)
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References