HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42991Published Modified CNA microsoft

CVE-2026-42991: Windows Push Notifications Elevation of Privilege Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.17763.8880
Affected Products
13

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A race condition in the Windows Push Notifications component allows a locally authenticated attacker to elevate privileges on affected Windows 10 and Windows 11 systems. The attacker must already hold a low-privilege account and exploit a timing window in shared resource access to gain higher system privileges. Successful exploitation gives the attacker full control over the host, including confidentiality, integrity, and availability of all data and processes. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that layer atop affected Windows base versions. Any image whose OS layer falls within the affected version ranges is flagged automatically in the customer's registry and CI/CD pipeline scan results.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.8 (HIGH) and weights it against each customer environment's compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox within the customer org based on policy-defined ownership rules for OS-layer vulnerabilities.

Available
Patch

Patched-image rebuilds pinned to the upstream fix versions (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, 10.0.22631.7219, and later) are available on HarborGuard for each affected product line. For customers who opt into auto-remediation, HarborGuard performs a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative credentials.

  • Victim interactionNot required

    No user interaction is needed; the attacker triggers the race condition entirely from their own process.

  • Attack complexityDetail

    Exploitation depends on winning a race condition in shared resource access, meaning the attacker must time execution correctly and success is not guaranteed on every attempt.

Blast Radius

  • A successful exploit grants the attacker elevated privileges, allowing them to read any file or credential on the host regardless of access controls.
  • The attacker can write or modify system files, registry keys, and persisted application data.
  • The attacker can terminate processes, disable services, or crash the operating system, causing a full service outage.
  • With SYSTEM-level access the attacker can install persistent backdoors or pivot laterally to other hosts on the network.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image built on an affected Windows base layer, covering all registry-stored and pipeline-scanned images. Where compliance policy permits, a patched-image rebuild at the appropriate fix version is queued automatically; for customers with auto-remediation enabled, HarborGuard completes a rebuild, runs regression tests, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for HIGH-severity issues in fully configured environments. Because this is a local privilege escalation requiring an existing foothold, compensating controls such as enforcing least-privilege user accounts inside container workloads and restricting host-process access reduce exploitability while a rebuild is in progress. HarborGuard re-checks the advisory on each ingest cycle to catch any version range updates Microsoft publishes post-release.

See how HarborGuard automates this

Fix available

10.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
References