CVE-2026-42989: Winlogon Elevation of Privilege Vulnerability
Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A link-following privilege escalation vulnerability exists in Winlogon, the Windows authentication and session management component, affecting multiple versions of Windows 10 and Windows 11. The vulnerability is reached locally and requires only a low-privilege account, with no user interaction needed. Successful exploitation gives an attacker full read, write, and control over the affected system. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running an affected Windows base image.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that layer on affected Windows base versions. Any image whose embedded OS version falls within the affected range is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting that score against each customer environment's compliance policy to determine breach-of-threshold status. Triage results are routed to the inbox or ticketing integration configured for each organization, so the right team sees the alert without manual sorting.
AvailableA patched-image rebuild at each applicable fix version (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and the corresponding Windows 11 fix versions) is available on HarborGuard for affected environments. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; no administrative credentials are needed to trigger the vulnerability.
- Victim interactionNot required
The exploit executes without requiring any action from another user on the system.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors need to align.
Blast Radius
- Reads any file or credential material on the system, including stored secrets, hashes, and configuration data accessible to SYSTEM.
- Modifies or overwrites any file on the local filesystem, including security-critical binaries and audit logs.
- Terminates or disrupts any running process, including security tooling and endpoint agents.
- Achieves full local SYSTEM-level control, enabling persistence mechanisms such as service installation or scheduled task creation.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-42989 is active across all customer scan environments, matching Windows base images down to the specific build number against each affected version range. Where a customer image is confirmed vulnerable, a rebuilt image at the appropriate patched build is made available. For customers who opt into auto-remediation and whose compliance policy permits, HarborGuard can rebuild the image, execute a regression run, and open a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. For environments where auto-remediation is not enabled, the flagged finding appears in the triage queue with the CVSS 7.8 HIGH score and fix-version guidance so teams can act manually. Because this is a local privilege escalation, compensating controls such as enforcing least-privilege process execution inside containers and restricting host-path mounts can limit the exposure surface while a rebuild is scheduled.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C