CVE-2026-42912: Windows Telephony Service Race Condition Privilege Escalation
A race condition in Windows Telephony Service allows an attacker who already has local user access to exploit improper synchronization of shared resources and gain system-level privileges. The vulnerability requires the attacker to perform specific timing-dependent actions during concurrent operations—making it moderately difficult to exploit in practice, but reliably escalatable once triggered. No user interaction is required beyond the attacker's ability to run code as a local user.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-362
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42912 is a CWE-362 race condition affecting the Windows Telephony Service component. The vulnerability stems from inadequate synchronization when multiple processes or threads access shared resources concurrently. An authenticated local attacker can manipulate timing of operations to cause a state inconsistency, leading to privilege escalation from user context to SYSTEM or higher. The CVSS 3.1 vector (7.0 HIGH, AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects local attack vector, high complexity due to race condition difficulty, low privilege requirement (authenticated user), and full confidentiality, integrity, and availability impact.
Business impact
Privilege escalation vulnerabilities on Windows endpoints create pathways to lateral movement, persistence, and lateral data exfiltration. A compromised user account can be weaponized to gain administrative control of a machine, enabling malware deployment, credential theft, and further network compromise. For organizations running Windows 10 or Windows Server infrastructure, this vulnerability presents insider-threat and targeted-attack risk—particularly in environments where user isolation and least-privilege are not strictly enforced. Ransomware and APT groups frequently chain such escalation flaws to establish durable footholds.
Affected systems
Vulnerable versions include Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server (2012, 2016, 2019, 2022, 2025). Coverage is broad across both client and server lines. Legacy versions (Windows 10 1607) and current versions (Windows 11 26H1, Server 2025) are affected, indicating the flaw existed in older code paths and has persisted through multiple updates. Organizations with heterogeneous Windows estate must assume multi-generation vulnerability exposure.
Exploitability
Exploitation requires local code execution as an authenticated user—a non-trivial barrier but common in scenarios involving supply-chain compromise, insider threat, or post-compromise lateral movement. The race condition's high complexity (AC:H in CVSS) means timing and system load conditions matter; attackers must carefully choreograph concurrent operations to trigger the vulnerability. However, the vulnerability is not dependent on user interaction (UI:N), so once local code runs, exploitation can be automated. As of publication, the vulnerability is not listed in CISA's KEV catalog, suggesting active in-the-wild exploitation has not yet been widely confirmed, though this should not be interpreted as low risk given the severity and broad platform coverage.
Remediation
Microsoft patches for this vulnerability should be deployed via Windows Update or WSUS as soon as they become available. Verify patch availability and version numbers directly from Microsoft security advisories (Windows 10 and Windows 11 servicing stacks, Windows Server monthly rollups). Interim mitigations include enforcing code integrity policies (AppLocker, Windows Defender Application Control) to restrict unprivileged execution, disabling the Telephony Service if not required, and applying principle of least privilege to limit local user scope. Organizations should prioritize patching on servers and shared machines where multiple users exist.
Patch guidance
Apply security updates from Microsoft for Windows 10, Windows 11, and Windows Server editions listed in the affected systems summary. Check Microsoft's official security bulletin for this CVE to confirm specific KB article numbers and patch version strings before deployment. Validate patches in a staging environment first, as Telephony Service patches may affect dependent applications. For Windows Server environments, test updates on non-production systems and stage rollout by edition (2012, 2016, 2019, 2022, 2025) to manage operational risk. Automate patching through Windows Update for Business, WSUS, or third-party patch management tools to ensure consistent coverage.
Detection guidance
Monitor for unusual Telephony Service (tapisrv.exe) process activity, especially spawning child processes or accessing privileged system resources. Track process creation events from low-privilege user contexts that reference telephony-related APIs. Look for concurrent access patterns in system logs related to shared resource contention. Endpoint detection and response (EDR) solutions should flag privilege escalation chains originating from user-mode execution of Telephony Service components. Behavioral analytics on process token elevation can signal successful exploitation. Note that the race condition may not produce obvious error logs; detection relies more on behavioral indicators than exception events.
Why prioritize this
HIGH severity (CVSS 7.0) combined with broad platform coverage across Windows 10, 11, and Server editions makes this a significant elevation vector for insider and post-compromise scenarios. Although not yet in the KEV catalog, the authentic privilege escalation path and low privilege requirement warrant prompt patching in enterprise environments. Organizations should schedule patching within their standard monthly cycle and prioritize endpoints in higher-risk zones (developer machines, shared workstations, servers accepting remote sessions). The race condition complexity does not materially reduce risk; it merely makes opportunistic exploitation less likely than targeted or automated abuse.
Risk score, explained
The CVSS 7.0 score reflects high confidentiality, integrity, and availability impact once privilege elevation succeeds. The local attack vector and requirement for prior authentication (low privilege) appropriately constrain the base score below 'critical,' but the high complexity of exploiting a race condition does not lower severity—it only makes the attack harder to execute reliably. In a targeted threat model, a determined adversary can invest effort to trigger the race condition, making the technical barrier secondary to the strategic risk of privilege escalation. The score appropriately prioritizes this as a high-urgency patch.
Frequently asked questions
Does this vulnerability require user interaction to exploit?
No. The vulnerability can be exploited through automated, programmatic execution of carefully timed operations within the Telephony Service. An attacker who already has local user-level code execution can trigger the race condition without social engineering or user clicks.
Is this vulnerability being actively exploited in the wild?
As of the publication date, the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, this does not guarantee the absence of private or targeted exploitation. Organizations should not delay patching in reliance on KEV status; priority should be based on the technical severity and your exposure to untrusted local users.
Can I work around this vulnerability without patching?
Partial workarounds include disabling the Telephony Service if your organization does not rely on it, applying strict application whitelisting to prevent low-privilege users from executing code, and enforcing multi-factor authentication to reduce the likelihood of compromised user credentials. However, these do not eliminate the underlying flaw. Patching is the definitive remediation.
Which Windows versions are most critical to patch first?
Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2022/2025 are the actively supported versions and should be prioritized. However, if your environment still runs Windows 10 22H2 or Windows Server 2019, those should also be included in the first patch wave, as they remain in extended support and carry the same privilege escalation risk.
This analysis is provided for informational purposes and reflects the state of vulnerability data as of the publication date. Patch version numbers, KB article references, and specific remediation timelines should be verified against official Microsoft security advisories and your organization's patch management policy. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor responses or patch availability. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. The absence of a vulnerability from CISA's KEV catalog does not indicate low risk or absence of active exploitation; threat landscape changes rapidly. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10940HIGHChrome Windows Sandbox Escape via Codec Race Condition
- CVE-2026-42836HIGHWindows Function Discovery Service Race Condition Privilege Escalation
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42977HIGHWindows Push Notifications Race Condition Local Privilege Escalation
- CVE-2026-42978HIGHWindows Push Notifications Privilege Escalation (CVSS 7.8)
- CVE-2026-42979HIGHWindows Push Notifications Privilege Escalation (Race Condition)