HIGH 7.8

CVE-2026-42980: Windows NT Kernel Integer Underflow Privilege Escalation Vulnerability

CVE-2026-42980 is a privilege escalation flaw in the Windows NT kernel that allows a user with local access to gain full administrative control of an affected system. The vulnerability stems from an integer underflow condition in memory management code. An attacker who has already logged into the machine can exploit this weakness to run code with the highest privileges, potentially compromising the entire system. This is a serious risk in environments where users share systems or where insider threats are a concern.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122, CWE-191
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

An integer underflow vulnerability exists in the Windows NT OS Kernel, categorized under CWE-122 (Heap-based Buffer Overflow) and CWE-191 (Integer Underflow/Wrap or Wraparound). The flaw permits an authenticated local attacker to trigger a numeric wrap condition that corrupts kernel memory structures, bypassing privilege boundaries. The CVSS 3.1 score of 7.8 reflects the requirement for prior local authentication (PR:L) but the complete confidentiality, integrity, and availability impact once exploited (C:H/I:H/A:H). No network vector or user interaction is needed after initial access.

Business impact

Systems affected by this vulnerability are exposed to complete privilege escalation by any user with login credentials, including service accounts, contractors, or compromised standard user accounts. In organizations using Windows desktops or servers for sensitive workloads, exploitation could result in unauthorized access to confidential data, modification of business-critical applications, or lateral movement to other systems. Multi-tenant or shared-resource environments face particularly acute risk. Regulatory compliance (SOC 2, ISO 27001, PCI-DSS) may be compromised if elevation is used to circumvent audit controls.

Affected systems

The vulnerability affects a broad range of Microsoft Windows installations: Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server editions (2012, 2016, 2019, 2022, 2025). Organizations using any of these versions in production should assume exposure unless patches have been applied. Long-term servicing branch (LTSB) and Server editions are particularly critical given their prevalence in enterprise infrastructure.

Exploitability

Exploitation requires authenticated local access to the target system; therefore, external attackers cannot directly exploit this vulnerability. However, the threat model includes phishing campaigns delivering malware to standard user accounts, supply-chain compromises, and insider attacks. Once any user is logged in, triggering the integer underflow to elevate privileges is likely straightforward, since no additional complexity is introduced by the CVSS metric (AC:L). Public exploit code or proof-of-concept material would substantially increase real-world risk; as of the publication date, this vulnerability is not yet tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Microsoft security updates addressing this kernel-level flaw must be applied to all affected Windows editions. Patches are released through the monthly security update cycle and Windows Update. Organizations should prioritize applying patches to systems with the highest user turnover, privileged accounts, or sensitive data exposure. No workarounds are available; patching is the only effective mitigation. Verify patch applicability against your specific Windows build number and edition.

Patch guidance

Deploy the latest Windows security updates as released by Microsoft for your operating system version. For Windows 10, ensure you are on the latest servicing build for your release (1607, 1809, 21H2, or 22H2). For Windows 11, update to the latest available version (26H1 or later, depending on your servicing branch). Windows Server administrators should apply updates for Server 2012, 2016, 2019, 2022, or 2025 as applicable. Use Windows Update, WSUS, or your organization's patch management solution to verify all systems have received the update. Test patches in a non-production environment first, particularly for server systems, to ensure compatibility with legacy applications.

Detection guidance

Monitor system event logs for unusual process creation with elevated privileges, particularly privilege escalation events (Windows Security event ID 4688 with elevated token). Use endpoint detection and response (EDR) solutions to flag attempts to modify kernel memory or exploit memory-management subsystems. Kernel debugging tools and memory forensics can confirm exploitation post-incident by identifying corruption patterns consistent with integer underflow attacks. Organizations without EDR should implement application whitelisting to restrict which processes can execute at elevated levels, reducing attack surface even if the vulnerability is present.

Why prioritize this

Although exploitation requires pre-existing local access, the complete impact (full system compromise via privilege escalation) and the breadth of affected systems (multiple Windows 10 and Windows Server editions spanning many years) warrant HIGH priority remediation. This vulnerability is particularly dangerous in shared or multi-user environments and should be treated with the same urgency as worm-capable critical flaws. The absence of active exploitation in the wild (as evidenced by KEV non-listing) provides a window to patch before threat actors weaponize it.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects the confluence of severe impact (C:H/I:H/A:H—complete confidentiality, integrity, and availability compromise) with a low-friction attack vector once local access is obtained (AV:L/AC:L/PR:L/UI:N). The metric acknowledges that the attacker must already be authenticated but makes no allowance for phishing, credential theft, or insider scenarios that enable that initial access. The score appropriately penalizes enterprises where privilege separation is a key defense.

Frequently asked questions

Can an external attacker exploit this without already being on my network?

No. The vulnerability requires the attacker to have local login credentials or an active session on the target machine. However, obtaining those credentials through phishing, password cracking, or credential stuffing—followed by exploitation of this kernel flaw—is a realistic attack chain.

Does this affect Windows Subsystem for Linux (WSL) or virtual machines running on Windows?

The vulnerability exists in the Windows NT kernel itself, not in container or virtualization layers. WSL2 (which uses Hyper-V) runs a separate Linux kernel and is not directly affected; however, a host system compromised via this flaw could enable lateral movement into virtual machines.

Are there any temporary mitigations if I cannot patch immediately?

No reliable workarounds exist for a kernel-level vulnerability. You can reduce exposure by restricting local login privileges to trusted accounts only, disabling unnecessary services that run with elevated rights, and using application whitelisting. However, these measures are not substitutes for patching.

How long do I have to patch before active exploits appear?

While this vulnerability is not yet tracked in CISA's KEV catalog, advanced threat actors often develop exploits privately. Organizations should treat this as a months-to-quarters risk window and prioritize patching within 30–60 days, especially for high-value or externally-facing systems.

This analysis is based on vulnerability data published as of June 2026 and is current as of that date. Patch version numbers and availability should be verified against Microsoft's official Security Update Guide. Organizations should test patches in non-production environments before broad deployment. No exploit code or weaponized techniques are provided herein. This document does not constitute legal, compliance, or medical advice; consult your security team and vendor documentation for your specific environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).