CVE-2026-42970: Windows Push Notification Information Disclosure Vulnerability
A flaw in Windows Push Notifications can allow a user with local access to a computer to read sensitive information that should be protected. An attacker with an existing local account on the system could potentially view data in the push notification system without authorization. This is not a remote vulnerability and requires the attacker to already have some level of access to the machine.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42970 is an information disclosure vulnerability in the Windows Push Notification Service, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability has a CVSS v3.1 score of 5.5 (Medium severity) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a local attack vector requiring low complexity and low privilege context, with high confidentiality impact but no integrity or availability consequences. An authenticated local attacker can circumvent access controls to read information through the push notification subsystem.
Business impact
The breach of push notification data could expose business-sensitive information sent through Windows notification channels, including user communications, application data, or organizational messages. For enterprises, this risk is primarily relevant in shared desktop environments or where local account security is difficult to enforce. The vulnerability does not allow data modification or system disruption, limiting the scope of business impact, but confidentiality loss may still trigger compliance obligations depending on the sensitivity of exposed data and regulatory context.
Affected systems
This vulnerability affects a broad range of Windows versions: Windows 10 (editions 1607, 1809, 21H2, and 22H2) and Windows 11 (editions 23H2, 24H2, 25H2, and 26H1), as well as Windows Server 2012, 2016, 2019, 2022, and 2025. Organizations running any of these versions in environments where local account security is a concern should prioritize assessment.
Exploitability
Exploitation requires local system access and valid credentials—an attacker cannot exploit this remotely. The attack does not require user interaction or special conditions beyond having an authenticated local session. This moderates overall risk in well-controlled environments but represents a meaningful threat in scenarios involving shared computers, contractor access, or weak local account management. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Remediation
Apply the latest security updates from Microsoft for your Windows version. Consult Microsoft's official security bulletin for CVE-2026-42970 to identify the specific patch versions available for your edition and release. Additionally, reinforce local access controls by enforcing strong authentication, limiting local account proliferation, and restricting physical and remote desktop access to trusted users only.
Patch guidance
Check Microsoft's security update portal and your organization's patch management systems for available fixes for this CVE. Patches vary by Windows version and release; verify that the update is applicable to your specific builds (e.g., Windows 10 22H2, Windows Server 2022, etc.). Test patches in a non-production environment before broad deployment. If your organization uses Windows Update for Business or WSUS, monitor for the availability of these updates and schedule deployment according to your change management process.
Detection guidance
Monitor for unauthorized access attempts to the Windows Push Notification Service and related system processes. Review Windows Security logs for unusual local authentication or privilege elevation activity. Consider implementing file integrity monitoring on push notification data storage locations and alerting on unexpected reads from those paths. Endpoint detection and response (EDR) tools should be tuned to flag suspicious enumeration or access patterns targeting notification databases or system directories.
Why prioritize this
This vulnerability merits prompt but measured attention. Its Medium CVSS score and requirement for local access place it below critical threats, but the broad affected product range (all modern Windows client and server versions) and potential for confidentiality exposure justify timely patching. Organizations should prioritize systems in shared-access or high-sensitivity environments. Given the lack of public exploitation and KEV listing, this is not an emergency response scenario but rather a standard patch cycle priority.
Risk score, explained
The CVSS 5.5 score reflects a local-only attack vector and privilege requirement, which significantly limit attack surface compared to remote vulnerabilities. However, the high confidentiality impact and ease of exploitation (low complexity, no user interaction needed) once local access is obtained warrant a Medium rather than Low rating. The score appropriately balances the accessibility barrier against the actual damage potential.
Frequently asked questions
Does this vulnerability allow remote attacks?
No. The vulnerability requires local system access and valid credentials on the target machine. It cannot be exploited over a network without first compromising or obtaining credentials for a local account.
What data is at risk?
Push notification data stored or processed by the Windows Push Notification Service is at risk of unauthorized disclosure. The specific sensitivity depends on what applications and systems send notifications through this service; business-critical or sensitive inter-process communications could be exposed.
Is this vulnerability being actively exploited?
There is no evidence of active exploitation in the wild, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. This suggests the threat is currently theoretical rather than imminent, though organizations should still patch proactively.
How should I prioritize patching across my environment?
Focus first on systems with multiple local users or where contractor or guest accounts are common, as well as servers handling sensitive data. Standard enterprise desktops in controlled environments can follow normal patch schedules. Always test in a lab environment before broad deployment.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Patch version numbers, vendor advisories, and exploitation status may change; verify all technical details against Microsoft's official security updates and CISA resources before making security decisions. SEC.co does not provide legal or compliance advice; organizations should consult their own security teams and legal counsel regarding vulnerability management obligations. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11182MEDIUMChrome SVG Cross-Origin Data Leak Vulnerability
- CVE-2026-11209MEDIUMGoogle Chrome Password Memory Disclosure (CVSS 6.5)
- CVE-2026-11271MEDIUMChrome Password Feature Information Disclosure Vulnerability
- CVE-2026-42906MEDIUMWindows Shell Information Disclosure Vulnerability
- CVE-2026-42907MEDIUMWindows Shell Information Disclosure (CVSS 6.5)