HIGH 7.8

CVE-2026-42978: Windows Push Notifications Privilege Escalation (CVSS 7.8)

CVE-2026-42978 is a privilege escalation vulnerability in Windows Push Notifications that affects multiple versions of Windows 10, Windows 11, and Windows Server. An authenticated attacker with local access can exploit a race condition—a timing-based flaw where concurrent operations on a shared resource lack proper synchronization—to gain elevated system privileges. This is a local attack requiring an existing user account, but the consequences are severe: an attacker could gain administrative control of the affected system. The vulnerability is not currently being exploited in the wild according to public disclosures.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362, CWE-416
Affected products
19 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper synchronization in the Windows Push Notifications service when handling concurrent access to shared resources. The race condition (CWE-362) combined with potential use-after-free patterns (CWE-416) creates a window where an authorized user can manipulate the system state to bypass privilege boundaries. The attack requires local access and relatively precise timing but does not require user interaction; once the conditions align, privilege escalation occurs automatically. The CVSS 3.1 score of 7.8 (HIGH) reflects the local attack vector, high complexity, and complete compromise across confidentiality, integrity, and availability scopes.

Business impact

Exploitation allows a user with standard privileges to become an administrator on a Windows system, enabling complete system compromise. In enterprise environments, this creates lateral movement and persistence risks: an attacker could move from a compromised user account to system-level control, install backdoors, exfiltrate data, or pivot to other network resources. The attack surface includes any Windows system where untrusted users have local logon rights, making this particularly relevant in shared-use environments, terminal servers, or poorly segmented corporate networks.

Affected systems

The vulnerability affects multiple Windows editions: Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2019, 2022, and 2025. Notably, older Windows 10 releases (1809 and earlier) and the latest Windows 11 preview builds (26H1) are both in scope. Organizations must treat both legacy and current-release systems as at-risk.

Exploitability

The attack requires local system access and an authenticated user session (PR:L in the CVSS vector), significantly limiting the attack surface compared to remote exploits. However, the high complexity (AC:H) does not mean the vulnerability is impractical; rather, it indicates that race conditions are inherently timing-dependent and may require multiple attempts or system-specific tuning. Proof-of-concept code does not appear to be publicly available or weaponized. The absence of KEV catalog status suggests minimal in-the-wild evidence at present, though this does not reduce remediation urgency given the severity of potential impact.

Remediation

Microsoft will release patches through its standard monthly security update cycle. Organizations must prioritize patching across all affected Windows versions, particularly in environments where non-administrative users have interactive logon access. Until patches are available and deployed, administrative access controls should be reviewed: limit local logon rights to trusted users, disable unnecessary services, and monitor privilege escalation attempts via Windows Event logs (especially SeDebugPrivilege grants and unusual service restart activity).

Patch guidance

Watch for security updates affecting Windows Push Notifications from Microsoft's monthly Patch Tuesday releases. Apply updates first to Windows Server systems (especially 2019, 2022, 2025) and critical workstations, then to general Windows 10/11 deployments. Verify patch application by checking the Windows Update history and confirming the system reports a newer build number post-reboot. Because this is a privilege escalation rather than a remote code execution, unpatched systems remain functional but at elevated risk in multi-user or untrusted-user scenarios.

Detection guidance

Hunt for exploitation using Windows Security Event Log monitoring: look for unusual service restarts under different user contexts, SeDebugPrivilege assignment attempts, or unexpected elevation to SYSTEM context from standard user sessions. Monitor Windows Push Notification Service (WpnService) process creation and parent process anomalies. EDR solutions should flag attempts to spawn SYSTEM-privilege processes from user-mode contexts without expected administrative invocation. A baseline of normal privilege escalation patterns in your environment will help identify suspicious deviations.

Why prioritize this

This vulnerability merits immediate prioritization because it enables complete local system compromise with minimal user interaction and affects currently supported, widely-deployed Windows versions including Server products. Although it requires existing authentication, the scope (marked as 'Changed' in CVSS, affecting the entire system boundary) and the severity of potential impact—administrative access—make it a high-value target for attackers with internal access. Remediation should begin within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects: (1) local attack vector limiting initial access but affecting systems in high-value environments; (2) high complexity, accounting for race condition timing but not rendering it impractical; (3) requirement for low privileges (standard user), broadening the attacker pool; (4) no user interaction required, increasing reliability; (5) complete impact on confidentiality, integrity, and availability via administrative access; and (6) scope change, since privilege escalation affects system boundaries beyond the vulnerable process. The 'HIGH' severity aligns with the near-complete compromise possible post-exploitation.

Frequently asked questions

Does this vulnerability allow remote code execution or network access?

No. CVE-2026-42978 requires local system access and an authenticated user session. It does not enable remote exploitation or network-based attacks. It is a privilege escalation vulnerability, not a remote access vulnerability.

Who is at risk from this vulnerability?

Windows administrators and IT teams are at risk if their systems allow non-administrative users to log in locally (standard user accounts). Enterprise environments with shared workstations, terminal servers, or multi-user systems face higher risk. Home users or single-user systems are at lower risk unless they store sensitive data and face threats from local attackers.

What should we do if we cannot patch immediately?

Implement compensating controls: restrict local logon rights to trusted administrators only, disable the Windows Push Notifications service if not needed, monitor privilege escalation attempts via Event Viewer, and isolate high-value systems from users who do not require local access. Deploy EDR or privileged access monitoring to alert on unusual service restarts or privilege grants. Develop a patch deployment schedule for all affected systems within 14 days.

Is this vulnerability being exploited in the wild?

As of the current KEV catalog status, there is no public evidence of active exploitation. However, the absence of reported attacks does not guarantee the vulnerability is not being exploited privately or will not be targeted once patches are released and the gap between patched and unpatched systems becomes clear.

This analysis is based on published CVE and CVSS data as of June 2026. Patch availability, exploitation status, and vendor guidance may evolve; consult Microsoft's official security advisories and your organization's threat intelligence before making remediation decisions. SEC.co does not provide legal or compliance advice. Testing any security patches in a non-production environment before widespread deployment is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).