HIGH 7.8

CVE-2026-42979: Windows Push Notifications Privilege Escalation (Race Condition)

A race condition in Windows Push Notifications allows an attacker who already has local access to a computer to gain higher-level privileges. The vulnerability exploits a timing gap in how the notification system handles shared resources, enabling privilege escalation. This is a local attack that requires an authorized user account to initiate, but could allow an attacker to break out of restricted accounts and gain administrative control.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362, CWE-416
Affected products
19 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42979 is a concurrent execution vulnerability (CWE-362) affecting the Windows Push Notifications service. The flaw stems from improper synchronization of a shared resource, creating a race condition that an authenticated local attacker can exploit to escalate privileges across security boundaries. The CVSS 3.1 vector (7.8 HIGH) reflects local access requirement (AV:L), high attack complexity (AC:H), low privilege requirement (PR:L), and high impact across confidentiality, integrity, and availability. The vulnerability also relates to CWE-416 (use-after-free), suggesting memory safety issues may compound the synchronization defect.

Business impact

Privilege escalation via race conditions poses significant insider threat risk. An attacker with basic user access—such as a contractor, service account, or compromised non-admin user—could gain system-level control, leading to data exfiltration, malware installation, or lateral movement within enterprise networks. For organizations running shared systems (terminal servers, developer machines, labs), the attack surface widens. Remediation delays increase exposure to post-compromise persistence and lateral attacks.

Affected systems

The vulnerability affects multiple Windows versions: Windows 10 (builds 1809, 21H2, 22H2), all tracked versions of Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server editions 2019, 2022, and 2025. Organizations with mixed Windows estate—particularly those supporting older builds like 1809 or managing Server 2019 infrastructure—face broader patching scope. Verify your deployment mix against vendor advisories for exact build and edition coverage.

Exploitability

The attack requires an authorized local user account and carries high complexity (AC:H), meaning reliable exploitation demands precise timing or multiple attempts. However, once understood, the race condition can be weaponized programmatically. The lack of network or user interaction requirement (UI:N) eliminates social engineering barriers. The vulnerability is not yet tracked in the CISA Known Exploited Vulnerabilities catalog, but the relative specificity of the flaw and public CVE disclosure may accelerate proof-of-concept development. Motivated threat actors or insiders with system access pose the primary risk.

Remediation

Microsoft has released patches for affected Windows 10 and Windows 11 versions and Server editions. Remediation requires standard Windows Update deployment or manual patch installation through Windows Server Update Services (WSUS). Organizations should prioritize Server environments and high-value workstations first, then roll out to general client fleets. Patch testing in controlled environments is advisable due to the low-to-moderate complexity of the underlying flaw. Verify patch status directly from Microsoft security advisories corresponding to the June 2026 update cycle.

Patch guidance

Apply the June 2026 security updates or later from Microsoft for your specific Windows version and build. For Windows 10, ensure you are running the latest cumulative update for builds 1809, 21H2, or 22H2. Windows 11 users should update to the latest available build (26H1 or newer if released). Windows Server 2019, 2022, and 2025 should receive their corresponding June 2026 cumulative updates. Use your organization's standard patch management process; WSUS-managed environments should receive patches via normal servicing timelines. Test non-critical systems first to rule out regression before broad deployment.

Detection guidance

Monitor for suspicious privilege escalation events in Windows Security Event Log (Event ID 4672 for special privilege assignment, 4688 for process creation with elevated tokens). Look for unexpected parent-child process relationships involving Windows Push Notifications service (WpnService.exe) spawning child processes with SYSTEM or higher context. Kernel debugging symbols and process memory analysis may reveal shared resource corruption or use-after-free signatures. Endpoint Detection and Response (EDR) solutions should flag unusual thread synchronization patterns or race condition exploitation attempts. Behavioral baselines for Push Notification service activity will help identify anomalous behavior.

Why prioritize this

This vulnerability merits urgent but measured prioritization. The HIGH CVSS score (7.8), broad Windows version coverage, and complete impact scope (CIA) demand attention. However, the local-only attack vector and AC:H complexity constrain immediate risk compared to remote or low-complexity flaws. Prioritize based on asset criticality: Server infrastructure, shared workstations, and high-value endpoints should be patched first. Standard business user machines can follow in a staged rollout. Organizations with tight endpoint security controls (application whitelisting, privilege management) have reduced exposure.

Risk score, explained

The 7.8 HIGH score reflects a balance of factors. Attack Vector (Local) and moderate complexity limit opportunistic exploitation, keeping the score below CRITICAL. However, the low privilege requirement (any authorized user) and complete impact across confidentiality, integrity, and availability (all set to High) elevate severity substantially. The system scope impact (S:C) indicates privilege escalation can affect security contexts beyond the attacker's account. For enterprises with defense-in-depth controls and patched systems, actual risk is lower; for organizations with weak endpoint hygiene or legacy configurations, realized risk approaches or exceeds the base score.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-42979 requires local access (AV:L) and an authorized user account. Remote exploitation is not possible. The attacker must already have login credentials or physical access to the affected system.

Do I need to patch immediately, or can this wait until a scheduled maintenance window?

You should patch within your normal security update cycle—typically within 1–2 weeks of release. The HIGH severity and broad affected versions warrant prioritization, but the local-only attack vector allows for measured, phased deployment rather than emergency out-of-band patching. Prioritize production servers and shared workstations first.

Which Windows versions are most critical to patch first?

Windows Server 2019, 2022, and 2025 should be prioritized because they support multiple concurrent users and larger blast radius. Shared client workstations (labs, terminal servers, developer machines) and high-value endpoints are secondary priorities. Standard single-user Windows 10/11 machines present lower risk but should still be patched within a reasonable timeframe.

How does the race condition in Push Notifications lead to privilege escalation?

The vulnerability arises from improper synchronization of a shared resource within the notification service. An attacker can exploit timing gaps to manipulate memory or state in a way that grants elevated privileges. High attack complexity (AC:H) means triggering it reliably may require specialized knowledge or multiple attempts, but once weaponized, the escalation path is deterministic.

This analysis is based on vendor-supplied CVE and CVSS data as of June 2026. Patch version numbers, exact build coverage, and remediation timelines should be verified against official Microsoft security advisories and your organization's vulnerability management systems. No working exploit code is provided or recommended. Actual risk varies by environment, endpoint controls, and asset sensitivity. Organizations should conduct their own risk assessment aligned with their threat model and business context. SEC.co makes no warranties regarding patch availability, compatibility, or effectiveness in your specific environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).