CVE-2026-42836: Windows Function Discovery Service Race Condition Privilege Escalation
A race condition in Windows' Function Discovery Service (fdwsd.dll) allows a user already logged into a machine to escalate their privileges to administrator level. The vulnerability exists because the service does not properly synchronize access to shared resources when multiple processes run concurrently, creating a narrow window where an attacker can manipulate the process. An authorized user would need local access and specific timing to exploit this, but successful exploitation grants full system-level permissions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-362, CWE-416
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42836 is a local privilege escalation vulnerability stemming from improper synchronization of shared resources in fdwsd.dll (Function Discovery Service). The race condition (CWE-362) combined with potential use-after-free patterns (CWE-416) allows an authenticated local attacker to achieve privilege elevation. The attack requires low-level user privileges (PR:L) and a non-trivial race window (AC:H), but once triggered, it grants high-impact access to confidentiality, integrity, and availability controls. The vulnerability is not limited to a single Windows version and affects multiple release channels across Windows 10, Windows 11, and Windows Server editions.
Business impact
This vulnerability creates a post-compromise risk for any organization running affected Windows systems. An insider or attacker who has gained user-level access—whether through phishing, weak credentials, or another vector—can use this flaw to gain administrative control without requiring external resources or elevated entry points. On endpoints used by privileged staff (system administrators, developers, database administrators), this escalation could lead to lateral movement, data exfiltration, or persistence mechanisms. On shared servers or terminal services, the risk is amplified. Given the broad OS coverage, remediation delay could expose a significant portion of most enterprise Windows fleets.
Affected systems
The vulnerability impacts Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server editions (2012, 2016, 2019, 2022, 2025). Organizations should conduct an inventory to identify machines running these versions, particularly those with user populations requiring privilege elevation or those connected to sensitive network segments. Server environments running Windows Server 2012 and 2016 (extended support only) warrant priority attention if still in use.
Exploitability
Exploitation requires authenticated local access and successful execution of a race condition, placing this in the 'difficult but achievable' category for an attacker already on a system. The attack surface is limited to users with local logon rights; remote exploitation is not possible. However, the barrier to entry is significantly lower than remote code execution vulnerabilities, and the complexity is manageable for skilled attackers once they understand the precise timing and resource contention window. No public exploit code or widespread in-the-wild abuse has been reported as of the vulnerability's publication, but the HIGH CVSS score reflects the severity of impact if exploited.
Remediation
Patched versions of Windows must be deployed to all affected systems. Verify the specific build numbers and cumulative update versions from Microsoft's June 2026 security bulletin before deployment. Organizations should prioritize servers, high-value endpoints, and machines used by administrative staff. In environments where patching must be phased, implement complementary mitigations: enforce strict access controls restricting local logon to necessity-based groups, monitor process creation and privilege escalation events, and disable Function Discovery Service where not required for business operations. Test patches in a controlled environment before broad rollout, particularly on Windows Server 2012 systems where extended support timelines may affect your patch schedules.
Patch guidance
Obtain and deploy the cumulative updates or security-only patches released in June 2026 from Microsoft Update, Windows Server Update Services (WSUS), or Microsoft's catalog. Verify patch status via 'winver' or 'systeminfo' post-deployment. For Windows Server systems, prioritize machines in Data Center and Standard editions currently in support. Windows Server 2012 (including R2) requires particular attention due to its extended support lifecycle—confirm patch availability and compatibility with your infrastructure before scheduling. If using endpoint management systems (Intune, SCCM, Configuration Manager), configure automatic deployment policies and monitor compliance. Test in a staging environment reflecting your production configuration before broad deployment to catch any compatibility issues with line-of-business applications.
Detection guidance
Monitor Event Viewer logs for suspicious privilege escalation attempts, particularly in Security event ID 4672 (Special privileges assigned to new logon) and 4673 (An attempt was made to call a privileged service operation). Enable audit policies for process creation (Event ID 4688) and object access to catch attempts to manipulate Function Discovery Service resources. Use behavioral analytics to identify unusual patterns of local user elevation or rapid successive failed logon attempts followed by privilege escalation. Check for unsigned or unexpected modifications to fdwsd.dll and related service binaries. Endpoint Detection and Response (EDR) tools should flag attempts to disable or manipulate Windows services associated with Function Discovery. Log and alert on any service restarts or resource contention patterns in the Function Discovery namespace.
Why prioritize this
Despite not being exploited in the wild as a known exploit, this vulnerability merits HIGH priority due to its local privilege escalation impact, broad operating system coverage, and low authentication barrier. Organizations with hybrid or on-premises Windows Server infrastructure face particular risk. The race condition nature means reliable detection is challenging and exploitation windows are narrow—favoring rapid patching over prolonged monitoring. Any system where standard users have local logon rights should be treated as a critical exposure vector for privilege escalation chains.
Risk score, explained
The CVSS 3.1 score of 7.0 (HIGH) reflects a local attack vector with high impact across confidentiality, integrity, and availability, tempered by the requirement for low-level privileges and a difficult-to-trigger race condition (AC:H). The privilege escalation from user to system level is significant, but the difficulty in reliably triggering the race keeps it below CRITICAL. Organizations should not interpret 'merely HIGH' as low urgency—the combination of breadth (15+ OS versions) and impact (full system compromise) justifies immediate patching schedules.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-42836 requires local access and authenticated logon to a Windows system. Remote attackers cannot exploit it directly, but it poses a significant risk in post-compromise scenarios where an attacker has already gained user-level access via phishing, malware, or weak credentials.
Which user types can exploit this? Do I need to worry if we restrict local logon?
Any user with local logon rights can potentially trigger this race condition. If your environment restricts local logon to a small group (e.g., IT staff and administrators only), your exposure is lower. However, service accounts, shared desktop systems, and terminal servers increase risk. Review your local logon policies and enforce principle of least privilege.
Is this vulnerability actively being exploited?
As of the publication date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog and no public exploit code is known. However, that status can change. The relative simplicity of triggering a race condition once understood means you should assume sophisticated threat actors will eventually develop reliable exploitation methods—prioritize patching accordingly.
What should we do if we cannot patch immediately?
Implement defense-in-depth: restrict local logon to only necessary accounts, disable Function Discovery Service if not operationally required, monitor privilege escalation attempts via Event Viewer and EDR tools, and isolate critical systems with network segmentation. These measures reduce exploitability and detection time, but they are not substitutes for patching. Establish a clear timeline to deploy patches and track progress against it.
This analysis is provided for informational and educational purposes only and does not constitute security advice specific to your organization. Vulnerability details and patch availability are subject to change. Verify all patch version numbers, compatibility, and deployment guidance against official Microsoft security bulletins and your vendor advisories before implementing. Organizations must conduct their own risk assessments based on their environment, asset inventory, and threat model. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made based solely on this content. Always consult with your security team and conduct thorough testing in controlled environments before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42978HIGHWindows Push Notifications Privilege Escalation (CVSS 7.8)
- CVE-2026-42979HIGHWindows Push Notifications Privilege Escalation (Race Condition)
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis