CVE-2026-42829: Windows 11 Administrator Protection Bypass (CVSS 7.8 HIGH)
CVE-2026-42829 is a local privilege escalation vulnerability affecting Windows 11 across multiple update versions. An authenticated user with standard privileges can bypass Windows Administrator Protection—a security boundary designed to restrict administrative actions—through improper access control handling. Exploitation requires local system access and valid credentials, but does not require user interaction. The vulnerability grants an attacker full system-level permissions including read, modify, and delete capabilities.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from inadequate access control enforcement in Windows Administrator Protection (CWE-284: Improper Access Control). The flaw allows a locally authenticated, low-privileged process to circumvent the protective mechanisms that normally isolate and restrict administrative function calls. The attack vector is local (AV:L), requires low attack complexity (AC:L), and necessitates low privileges (PR:L) to trigger. No user interaction is required (UI:N), and the impact is confined to the local system (S:U). Successful exploitation results in confidentiality, integrity, and availability compromise (C:H/I:H/A:H), enabling an attacker to execute arbitrary operations with SYSTEM-level rights.
Business impact
This vulnerability directly threatens the security posture of organizations deploying Windows 11 across the affected versions. Any user account with login credentials—including contractors, temporary staff, or compromised low-privilege accounts—can escalate to full administrative control. This enables lateral movement within the system, installation of backdoors, exfiltration of sensitive data, ransomware deployment, or denial of service. Organizations managing large Windows 11 fleets face heightened risk of insider threats and post-compromise persistence if the vulnerability remains unpatched.
Affected systems
The vulnerability affects Windows 11 across three update tracks: 24H2, 25H2, and 26H1. Organizations must verify their specific installed versions and build numbers against the vendor advisory to determine which systems in their environment require remediation. The broad impact across multiple recent update versions suggests Windows 11 deployments across a wide range of enterprises are potentially vulnerable.
Exploitability
Exploitability is rated as moderate to high. The vulnerability requires an attacker to have already obtained local system access and valid credentials—a meaningful barrier. However, once these prerequisites are met, exploitation is straightforward and does not require user interaction, timing, or sophisticated techniques. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting widespread active exploitation has not yet been documented at publication. Nevertheless, the accessibility of the attack (low complexity, low privilege required) means exploitation is practical and likely to be attempted once the technical details circulate.
Remediation
Apply the latest security updates from Microsoft for Windows 11 as soon as they become available. Verify that your patched build addresses the specific vulnerability identifier CVE-2026-42829. Organizations should prioritize systems with high-risk user populations (shared workstations, developer machines, contractor access) and systems handling sensitive data. Additionally, enforce principle of least privilege by auditing and revoking unnecessary administrative rights from user accounts. Consider implementing application whitelisting or Windows Sandbox to contain the blast radius of potential privilege escalation.
Patch guidance
Check the Microsoft Security Updates page and your organization's patch management system for Windows 11 cumulative updates released on or after June 17, 2026 (the vulnerability's last modification date). Verify the KB article number and build version in the advisory before deployment. Test patches in a non-production environment first, particularly if your organization relies on specialized drivers or legacy applications. Deploy patches to vulnerable systems according to your change management process, prioritizing business-critical and user-facing systems first.
Detection guidance
Monitor system logs for unusual process elevation attempts, particularly from low-privileged user sessions invoking administrative functions or services. Windows Defender for Endpoint users should enable detection rules for privilege escalation via Administrator Protection bypass. Review access control lists (ACLs) on protected administrative resources for unexpected modifications. Audit logon events and privilege use logs for suspicious patterns, such as the same user account repeatedly attempting and then succeeding at administrative actions. Network detection is limited since the vulnerability is locally exploited, but monitor for post-exploitation indicators such as unexpected SYSTEM-context child processes spawned from user sessions.
Why prioritize this
This vulnerability merits HIGH priority remediation. The combination of a 7.8 CVSS score, broad Windows 11 platform coverage, low barrier to exploitation (once local access is obtained), and the criticality of the compromised security boundary (Administrator Protection) creates significant organizational risk. Although KEV status is not yet active, the technical accessibility of the exploit means it is likely to be prioritized by attackers. Any organization with Windows 11 deployments should treat this as a near-term patching objective.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector requiring authentication, but with complete system compromise as the outcome. The score appropriately captures that while an attacker needs valid credentials and system access, the impact is severe once those prerequisites are met. For organizations with stringent access controls and privileged account monitoring, the contextual risk may be moderated; however, for organizations with numerous low-privileged users or shared workstations, the risk approaches critical. The absence of complexity in the attack (AC:L) and the fact that no user interaction is required further elevate the practical risk.
Frequently asked questions
Do I need local administrator credentials to exploit this vulnerability?
No. The vulnerability requires only low-privilege credentials and local system access. A standard user account, contractor account, or any authenticated local login can be used as the starting point for the attack. This makes it particularly risky in environments with shared workstations or high numbers of user accounts.
Is this vulnerability being actively exploited in the wild?
As of the publication date, CVE-2026-42829 is not listed on the CISA KEV catalog, indicating no widespread public exploitation has been documented. However, this does not mean exploitation is impossible or unlikely; it indicates that documented, in-the-wild campaigns have not yet been reported. Organizations should not delay patching based on this status.
Can this vulnerability be exploited remotely?
No. The attack vector is strictly local (AV:L), meaning an attacker must already have direct access to the Windows 11 system. Remote exploitation is not possible without first compromising the system or obtaining valid local credentials through other means.
Which Windows 11 versions are affected?
The vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1. Verify your specific build number and update track against the official Microsoft security advisory to confirm if your systems are in scope.
This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. The information is accurate as of the published date (June 9, 2026) and based on available vendor data and CVSS scoring guidelines. Verify all patch version numbers, affected build versions, and remediation steps directly against the official Microsoft security advisory before implementation. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor information. Organizations should conduct their own testing and validation in controlled environments before deploying patches to production systems. This advisory does not constitute legal advice or a recommendation to take any specific action; consult your organization's security team and vendor documentation for guidance tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11179HIGHChrome ORB Site Isolation Bypass (CVSS 8.8)
- CVE-2026-41092HIGHMicrosoft Kinect Local Privilege Escalation Vulnerability
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11187MEDIUMChrome Navigation Restriction Bypass Vulnerability
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)