CVE-2026-42974: Windows Performance Monitor Integer Overflow Remote Code Execution Vulnerability
A flaw in Windows Performance Monitor allows an attacker to crash or take control of a system by sending specially crafted network requests. The vulnerability stems from how the Performance Monitor handles very large numbers, causing it to malfunction and execute unauthorized code. An attacker does not need valid credentials or user interaction to exploit this; they only need network access to the affected system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-190
- Affected products
- 10 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Integer overflow or wraparound in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42974 is an integer overflow vulnerability (CWE-190) in Windows Performance Monitor that permits remote code execution without authentication. The flaw arises from improper validation of numeric input, allowing an attacker to craft a network payload that causes integer wraparound. This results in memory corruption that can be leveraged to execute arbitrary code with the privileges of the Performance Monitor process. The attack vector is network-based, attack complexity is high, and no user interaction is required.
Business impact
Compromise of Windows systems running affected versions creates significant risk of data theft, system takeover, and lateral movement within corporate networks. Performance Monitor is a core Windows component, meaning any internet-facing or internally networked Windows device running a vulnerable version could become an attack vector. In environments where Performance Monitor is remotely accessible or monitored, the risk is amplified. Potential impacts include loss of confidentiality, integrity, and availability of critical business systems.
Affected systems
The vulnerability affects multiple versions of Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2022 and Windows Server 2025. Both client and server operating systems are in scope. Organizations running these versions should prioritize assessment and patching. Verify exact patch availability against Microsoft security advisories, as not all versions may have patches released simultaneously.
Exploitability
While the vulnerability requires network access and high attack complexity (suggesting the attacker must overcome specific conditions or mitigations), it requires no authentication or user interaction. The CVSS 3.1 score of 8.1 (HIGH) reflects the combination of remote exploitability with full system compromise potential. However, the lack of any public exploit code in the CISA Known Exploited Vulnerabilities (KEV) catalog and the high attack complexity suggest weaponization barriers currently exist. Threat actors with sophisticated knowledge of Windows internals and memory layout randomization bypass techniques pose the greatest risk.
Remediation
Apply security patches from Microsoft as soon as they become available. Verify patch applicability to your specific Windows version and build number against official Microsoft security updates. Until patches are deployed, restrict network access to systems where Performance Monitor functionality is exposed or remotely callable, and enforce network segmentation to limit lateral movement if compromise occurs.
Patch guidance
Monitor Microsoft Security Update Guide and Windows Release Health pages for patches addressing CVE-2026-42974. Patches may be rolled out incrementally across different Windows versions and servicing channels. Test patches in a non-production environment before broad deployment. For Windows 11, verify which servicing versions (23H2, 24H2, 25H2, 26H1) receive patches and when. For Windows Server 2022 and 2025, coordinate patches with your release management and change control processes to minimize downtime.
Detection guidance
Monitor for unusual network traffic destined to Performance Monitor or the perfmon.exe process. Audit Event Viewer logs for unexpected elevation or code execution from Performance Monitor. Implement endpoint detection and response (EDR) tools tuned to flag abnormal process memory allocations or shellcode execution patterns originating from perfmon.exe. Hunt for failed integer operations or arithmetic exceptions in application event logs that may precede successful exploitation attempts.
Why prioritize this
HIGH priority due to CVSS 8.1 severity, network exploitability without authentication, and broad impact across both client and server Windows platforms in active use. The high attack complexity provides some operational friction, but the vulnerability still warrants immediate patch planning and deployment. Organizations with internet-facing Windows systems or those using Performance Monitor in monitoring infrastructure should prioritize this above lower-severity items.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects a network-accessible vulnerability with no authentication requirement that can result in complete system compromise (high impact to confidentiality, integrity, and availability). The HIGH attack complexity prevents a perfect score but does not substantially reduce the practical risk, as targeted attackers with Windows internals expertise are likely to overcome those hurdles. The lack of KEV listing indicates no widespread public exploitation to date, but this may change as patches are released and reverse-engineering accelerates.
Frequently asked questions
Does this vulnerability require the user to click a link or open an email attachment?
No. This is a remote network vulnerability that requires no user interaction. An attacker only needs network access to the affected system to potentially exploit it.
Are there any workarounds if I cannot patch immediately?
Limit network access to affected systems, particularly for any protocols or services that expose Performance Monitor functionality. Disable remote Performance Monitor access if it is not required for your operations. However, patching remains the definitive remediation.
How long do I have before attackers actively exploit this?
The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog, suggesting active exploitation has not been widespread. However, once patches are released and analyzed, exploitation risk typically increases. Plan patch deployment for the first available maintenance window after patches are released by Microsoft.
Which Windows systems are most at risk?
Windows 11 versions 23H2, 24H2, 25H2, and 26H1, as well as Windows Server 2022 and 2025. Verify your specific build version and check Microsoft's guidance to determine if your configuration is affected.
This analysis is provided for informational purposes and does not constitute professional security advice. Verify all technical details, patch availability, and affected system configurations directly against official Microsoft security advisories and your own environment assessment. SEC.co makes no warranty regarding the completeness, accuracy, or applicability of this information to your specific circumstances. Organizations are responsible for validating patches and conducting their own risk assessments before deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10921HIGHChrome Dawn Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10924HIGHChrome Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-42916HIGHWindows NT Kernel Integer Overflow Privilege Escalation Vulnerability
- CVE-2026-11281MEDIUMGoogle Chrome Chromoting Integer Overflow Information Disclosure
- CVE-2026-11299MEDIUMInteger Overflow in Google Chrome Font Processing (Medium Severity)
- CVE-2026-9882MEDIUMChrome ANGLE Integer Overflow Allows Cross-Origin Data Leakage
- CVE-2026-0095HIGHAndroid Bluetooth Integer Overflow Privilege Escalation
- CVE-2026-10118HIGHInteger Overflow in Poppler Splash Backend Leading to Code Execution