MEDIUM 5.5

CVE-2026-42971: Windows Push Notifications Information Disclosure Vulnerability

A vulnerability in Windows Push Notifications can allow an authorized user on a system to access sensitive information they should not be able to see. The flaw requires local access and valid credentials, but once those conditions are met, an attacker can read confidential data without further user interaction. This is a local information disclosure issue affecting multiple Windows versions from Windows 10 through Windows 11, as well as Windows Server 2016 through 2025.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
22 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42971 is an information disclosure vulnerability (CWE-200) in the Windows Push Notifications service. The vulnerability has a CVSS v3.1 score of 5.5 (MEDIUM severity) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates an attack vector limited to the local system, low attack complexity, requirement for low-level privileges, no user interaction needed, confidentiality impact rated as high, and no integrity or availability impact. An authenticated local attacker can exploit this to disclose information through the Windows Push Notifications subsystem.

Business impact

This vulnerability presents a moderate risk to organizations, particularly those concerned with data confidentiality on multi-user or shared systems. Compromised employee credentials or insider threats could be leveraged to exfiltrate sensitive information—such as cached authentication tokens, application data, or user-specific secrets—via the Push Notifications channel. The impact is localized to individual systems rather than network-wide, but the breadth of affected Windows versions means the exposure is widespread. Organizations handling regulated data (healthcare, finance, legal) should prioritize remediation to maintain compliance posture.

Affected systems

This vulnerability affects a broad range of Microsoft platforms: Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. The inclusion of older versions like Windows 10 1607 and Server 2016 means many organizations still running legacy systems are at risk. Windows 11 versions including the latest 26H1 are also affected, indicating no version is currently exempt.

Exploitability

Exploitation requires an attacker to have valid local credentials and the ability to execute code on the target system with low privileges. There is no user interaction required, and attack complexity is low. This means any authenticated local user, including service accounts or users with limited permissions, could potentially exploit this flaw. The vulnerability is not currently tracked in the CISA KEV catalog, suggesting active exploitation in the wild has not been widely documented at the time of publication, though organizations should not interpret this as low risk given the straightforward attack requirements.

Remediation

Organizations should apply security updates from Microsoft addressing CVE-2026-42971 across all affected Windows 10, Windows 11, and Windows Server versions. Consult Microsoft's security bulletins and the official vulnerability advisory for specific patch version numbers and update mechanisms. Until patches are applied, restrict local access to systems containing sensitive data, enforce principle of least privilege on user accounts, and monitor for unauthorized access to the Push Notifications subsystem through endpoint detection and response (EDR) tools.

Patch guidance

Verify the latest security updates for your specific Windows version against the official Microsoft Security Update Guide. For Windows 10 users, check KB articles corresponding to your installed version (1607, 1809, 21H2, or 22H2). Windows 11 users should update to the latest available version (26H1 or newer once available). Windows Server administrators should prioritize updates for Server 2022 and 2025 in production environments, while scheduling updates for older Server versions according to your change management policy. Always validate patches in a non-production environment first.

Detection guidance

Monitor for suspicious process execution spawned from or accessing the Windows Push Notifications service (WpnService.exe). Use Windows Event Log auditing to track access to sensitive data paths and registry keys associated with push notifications. Deploy EDR solutions capable of detecting unusual privilege escalation attempts or lateral movement from low-privilege accounts. Hunt for unexpected authentication or token abuse patterns that correlate with push notification service activity. Query file access logs for unexpected reads of cached notification or credential data.

Why prioritize this

This vulnerability merits prompt but not emergency response. The MEDIUM severity rating, combined with the requirement for local authenticated access, means the risk is lower than a remote unauthenticated vulnerability. However, the extremely broad affected install base (spanning six versions of Windows 10 and 11, plus four Server versions) and high confidentiality impact justify swift patching within your standard update cycle. Prioritize systems hosting regulated data, multi-user shared systems, and critical infrastructure. The absence from the KEV catalog does not reduce prioritization—it simply indicates limited public exploitation evidence to date.

Risk score, explained

The CVSS 5.5 MEDIUM score reflects the combination of local-only attack vector, low privilege requirement, and high confidentiality impact balanced against the lack of integrity or availability compromise. This is appropriate for an information disclosure flaw; while not a critical code execution or privilege escalation vulnerability, the ability to access sensitive cached data on systems with multiple user accounts or sensitive workloads warrants serious attention. Organizations handling PII, credentials, or classified data should consider this a higher priority within their own risk model.

Frequently asked questions

Do I need administrator rights to exploit this vulnerability?

No. The vulnerability requires only low-level privileges—any authenticated local user on the system can potentially exploit it. This makes the risk higher than vulnerabilities requiring admin access, especially in multi-user or service account environments.

Is this vulnerability being actively exploited in the wild?

As of the vulnerability publication date, CVE-2026-42971 is not listed in the CISA Known Exploited Vulnerabilities catalog. However, the straightforward exploitation requirements mean it could become a target for threat actors. Organizations should patch proactively rather than waiting for evidence of active exploitation.

Can this vulnerability be exploited remotely?

No. The attack vector is strictly local; an attacker must have valid credentials and local access to the affected system. This does not minimize risk for organizations with loose internal access controls, but it does mean perimeter-focused defenses alone will not stop exploitation.

Which Windows Server versions are most critical to patch first?

Windows Server 2022 and 2025 should be prioritized in most production environments, as they are actively maintained and widely deployed. Server 2016 and 2019 are approaching or past their end-of-support windows; coordinate patching with your vendor lifecycle policy. Windows 10 21H2 and 22H2 should be prioritized for user-facing endpoints handling sensitive data.

This analysis is provided for informational and educational purposes only and does not constitute legal or professional security advice. Patch version numbers, exploit status, and vendor advisory details must be verified against Microsoft's official security bulletins. Organizations should validate all information against their own security policies, vendor guidance, and internal risk assessments. SEC.co makes no warranty regarding the accuracy or completeness of this vulnerability intelligence. Always test patches in non-production environments before deployment to critical systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).