HIGH 7.8

CVE-2026-42977: Windows Push Notifications Race Condition Local Privilege Escalation

A race condition in Windows Push Notifications allows an authorized user on a Windows machine to exploit a timing gap and gain elevated system privileges. An attacker who already has basic user access can trigger this vulnerability locally without needing to interact with the system at a particular moment—the flaw is entirely automated once initiated. This affects multiple versions of Windows 10, Windows 11, and Windows Server.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362
Affected products
19 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42977 is a CWE-362 race condition in the Windows Push Notifications service. The vulnerability stems from improper synchronization when multiple processes or threads access a shared resource concurrently. An authorized local user can manipulate timing conditions to win a race and execute code or modify data with SYSTEM or higher privileges. The attack surface is bounded to local execution only (AV:L), requires low privileges to trigger (PR:L), and does not require user interaction (UI:N), making it a reliable local privilege escalation vector once an initial foothold exists.

Business impact

This vulnerability poses a significant risk to organizations because any employee or contractor with basic user access—such as through a compromised standard account, malware infection, or insider threat—can escalate to administrative privileges without additional user action. In multi-tenant or shared-workstation environments, this enables lateral movement and data exfiltration. For Windows Server deployments, privilege escalation can lead to full infrastructure compromise, affecting databases, applications, and network segmentation.

Affected systems

The vulnerability affects a broad Windows ecosystem: Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2019, 2022, and 2025. This spans consumer, professional, and server SKUs, meaning the remediation scope is extensive for most organizations.

Exploitability

Exploitability is moderate in real-world conditions. An attacker must already possess valid local credentials or code execution as a standard user. The race condition requires some precision in timing but does not depend on user action or environmental variables that are difficult to control. The attack is deterministic and repeatable once the initial conditions are established. At present, there is no indication of active exploitation in the wild, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Remediation

Microsoft has issued security updates addressing this flaw across all affected Windows versions and Server editions. Organizations should prioritize applying the June 2026 security updates and subsequent patches. No workaround mitigates the race condition itself, so patching is the primary remediation path. Least-privilege access controls and limiting local account creation reduce the attack surface for an unauthenticated attacker.

Patch guidance

Apply Microsoft's security updates released on or after June 9, 2026, for your Windows version. For Windows 10, verify you are on version 1809, 21H2, or 22H2 and install the latest cumulative update. Windows 11 users should ensure they are running the latest build for versions 23H2, 24H2, 25H2, or 26H1. Windows Server 2019, 2022, and 2025 administrators should apply the corresponding June 2026 security rollup or later. Consult your organization's patch management process and Microsoft's official security bulletin for precise version numbers and download links.

Detection guidance

Monitor for privilege escalation events correlated with Windows Push Notifications service activity. Look for unusual access to shared resources or temporary files used by the notification service, particularly when accessed by low-privilege processes in rapid succession. Audit logs showing process creation with unexpected privilege levels, especially SYSTEM-level processes spawned by standard user sessions, warrant investigation. Endpoint detection and response (EDR) tools configured to flag suspicious process parent-child relationships or privilege escalation attempts should be tuned to catch anomalies around WpnService.exe and related binaries.

Why prioritize this

This vulnerability merits HIGH priority due to its broad impact across consumer and enterprise Windows deployments, the HIGH CVSS score (7.8) reflecting comprehensive impact on confidentiality, integrity, and availability, and the low barrier to exploitation once an attacker has initial user access. The absence of active exploitation and KEV listing provides a narrow window to patch before threat actors weaponize the flaw. Large organizations with thousands of machines should begin deployment immediately; smaller organizations should complete patching within 30 days of release.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector limiting exposure; high complexity compensating somewhat for severity; low privilege requirement showing ease of exploitation by insiders or malware; comprehensive impact on confidentiality, integrity, and availability; and scope change indicating the attacker can impact resources beyond the vulnerable component. The score appropriately weights this as a serious but not critical vulnerability, placing it above medium-severity issues but below remote code execution or wormable flaws.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The attack vector is strictly local (AV:L), meaning the attacker must execute code or possess a local session on the affected machine. Network-based attacks cannot trigger this race condition.

Do I need to be an administrator to exploit this vulnerability?

No. The vulnerability requires only basic user-level privileges (PR:L) to initiate. An attacker with a standard user account or any code running as a standard user can trigger the race condition to escalate to SYSTEM or administrator level.

Is there an active exploit in the wild?

As of the last update, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog and there is no public evidence of active weaponization. However, given the relative ease of exploitation once user access is obtained, organizations should not delay patching.

Which version of Windows should I patch first?

Prioritize your business-critical systems and servers (Windows Server 2019, 2022, 2025) first, as privilege escalation on servers can compromise entire infrastructure. Then address Windows 11 deployments, followed by Windows 10 systems. All versions are equally vulnerable and should be patched per your change management schedule.

This analysis is provided for informational purposes based on the publicly disclosed vulnerability details as of the publication date. SEC.co does not guarantee the accuracy of third-party vendor claims or patch release schedules. Organizations should verify patch applicability, compatibility, and deployment timelines with official Microsoft advisories and their internal risk management processes. This document does not constitute security advice tailored to your environment and should be reviewed in conjunction with your security team's threat modeling and patch management policies. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).