CVE-2026-42973: Windows Push Notifications Information Disclosure Vulnerability
CVE-2026-42973 is a Windows Push Notifications vulnerability that allows an authorized user on a local machine to read sensitive information they should not have access to. This is not a remote attack—an attacker must already have a valid user account on the system. The flaw exposes confidential data without modifying or disabling any systems, making it a disclosure risk rather than a system-breaking vulnerability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 22 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from improper information disclosure in the Windows Push Notifications subsystem, classified under CWE-200. It has a CVSS 3.1 score of 5.5 (Medium severity) with a local attack vector, low complexity, and low privilege requirements. The attack requires local access and valid user credentials but no user interaction. The impact is confidentiality loss only; integrity and availability are not affected. The attack surface is limited to the local machine, and no elevation of privilege is necessary to trigger the flaw.
Business impact
The primary risk is unauthorized disclosure of sensitive information to users already present on affected systems. In environments where endpoint security controls are strong and user trust models are well-established, the impact is constrained. However, in scenarios with elevated user churn, contractor access, or less-stringent access control policies, a departing or malicious insider could exfiltrate confidential data before being fully offboarded. The Medium severity designation reflects this limited but real exposure.
Affected systems
Multiple Windows versions are affected, spanning Windows 10 (releases 1607, 1809, 21H2, 22H2) and Windows 11 (releases 23H2, 24H2, 25H2, 26H1), as well as Windows Server 2016, 2019, 2022, and 2025. This broad footprint suggests the vulnerability is fundamental to the push notification architecture across current and legacy Windows editions. Organizations running any of these versions should assume exposure.
Exploitability
Exploitation requires local access and valid user credentials, which limits opportunistic exploitation. An attacker cannot leverage this remotely or from an unauthenticated state. The low complexity and absence of any user interaction requirement make exploitation straightforward once prerequisites are met. The vulnerability is not listed in the CISA KEV catalog, indicating it is not yet known to be actively exploited in the wild, though this does not eliminate the need for remediation.
Remediation
Microsoft has published patches for affected Windows versions. Consult the official Microsoft Security Updates page or your organization's patch management system to identify and deploy the relevant security update for your Windows release. Given the broad platform coverage, patch availability should be widespread; verify the specific update version against your current build to confirm remediation.
Patch guidance
Check Windows Update or Microsoft's security advisories for the June 2026 patch cycle and later. Organizations using Windows Server should prioritize updates for Server 2016, 2019, and 2022 environments where legacy infrastructure may delay patching cycles. Windows 10 and 11 consumers should enable automatic updates if not already configured. Verify patch application by confirming the updated build number matches Microsoft's advisory; do not rely solely on Windows Update notification status.
Detection guidance
Monitor Windows Push Notification Service logs and audit local user access patterns to sensitive system resources. Implement file system auditing on directories containing Push Notification configuration or data. Correlate user logon events with subsequent data access to identify suspicious patterns. Endpoint Detection and Response (EDR) solutions should flag unusual access to system notification stores or unexpected process activity near notification service executables.
Why prioritize this
This vulnerability merits prompt but not emergency-level response. The Medium CVSS score, requirement for local access with valid credentials, absence of KEV listing, and confidentiality-only impact place it in the second tier of priority. However, the broad platform coverage (Windows 10, 11, Server 2016–2025) and fundamental nature of the push notification subsystem justify expedited patching within a standard maintenance window. Organizations with high-sensitivity data on user-accessible systems should elevate priority.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects the balance between a serious confidentiality impact (High) and significant attack constraints (local access, low privileges, user credential requirement). No privilege escalation or system compromise occurs. The score appropriately signals a real but contained risk: insider threat potential, not mass-exploitation risk.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-42973 requires local access to the system and valid user credentials. Remote exploitation is not possible.
Does this affect Windows 7 or older systems?
Based on the vendor data provided, Windows 7 is not listed as affected. The vulnerability spans Windows 10 (multiple releases), Windows 11, and Windows Server 2016 onwards.
If I disable Push Notifications, am I protected?
Disabling or isolating the Windows Push Notification Service may reduce exposure, but Microsoft's official patch is the supported remediation. Consult vendor guidance before relying on service disablement as a workaround.
Why isn't this vulnerability in the CISA KEV catalog yet?
The KEV catalog lists vulnerabilities actively exploited in the wild. This vulnerability's absence from KEV does not mean it is safe to ignore—it simply indicates no widespread exploitation has been publicly documented as of the last KEV update.
This analysis is derived from publicly disclosed vulnerability data as of June 2026. Patch version numbers, vendor advisories, and exploitation status are subject to change and should be verified against current Microsoft Security Updates and CISA advisories. No proof-of-concept code or weaponized exploitation steps are provided. Organizations should consult their vendor's official security guidance and conduct internal risk assessments before deploying patches or implementing workarounds. This document is for informational purposes and does not constitute security advice tailored to specific environments. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11182MEDIUMChrome SVG Cross-Origin Data Leak Vulnerability
- CVE-2026-11209MEDIUMGoogle Chrome Password Memory Disclosure (CVSS 6.5)
- CVE-2026-11271MEDIUMChrome Password Feature Information Disclosure Vulnerability
- CVE-2026-42906MEDIUMWindows Shell Information Disclosure Vulnerability
- CVE-2026-42907MEDIUMWindows Shell Information Disclosure (CVSS 6.5)