HIGH 8.1

CVE-2026-42981: Windows Performance Monitor Integer Underflow RCE

Windows Performance Monitor contains an integer underflow vulnerability that allows attackers to execute arbitrary code on affected systems over a network without authentication. The flaw affects multiple versions of Windows 11 and Windows Server 2022/2025. While exploitation requires specific conditions (reflected in the CVSS complexity rating), successful attacks could grant an attacker full control of the compromised system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-191
Affected products
10 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42981 is an integer underflow (wraparound) vulnerability in Windows Performance Monitor, categorized under CWE-191. Integer underflow occurs when a calculation produces a value smaller than the minimum representable value for an integer type, causing it to wrap around to a large positive or negative value. In this case, the vulnerability permits remote code execution without requiring user interaction or pre-existing privileges. The attack vector is network-based; the relatively high complexity score (AC:H) suggests exploitation may depend on specific system configurations or input patterns, but the high impact ratings (C:H/I:H/A:H) indicate that successful compromise results in complete confidentiality, integrity, and availability breaches.

Business impact

Exploitation of this vulnerability could allow attackers to gain administrative-level control of Windows systems and servers, leading to data theft, system compromise, malware installation, or lateral movement within corporate networks. Organizations running affected Windows 11 or Windows Server versions face risk of operational disruption, regulatory compliance violations (depending on industry), and reputational damage. The network-based attack vector means vulnerable systems exposed to untrusted networks or the internet are at highest risk.

Affected systems

Microsoft Windows 11 versions 23H2, 24H2, 25H2, and 26H1 are affected. Windows Server 2022 and Windows Server 2025 are also in scope. Organizations should verify their deployed versions and build numbers against vendor documentation to determine exposure. Both client and server workloads are potentially impacted, making this relevant across diverse environments.

Exploitability

The vulnerability is currently not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread public exploitation or active threat campaigns at the time of this analysis. However, the CVSS vector indicates exploitation is feasible over the network without user interaction or authentication—key factors that often drive rapid weaponization. The AC:H rating suggests that successful attacks require specific conditions such as particular system configurations, memory layouts, or crafted input sequences, which may slow but not prevent skilled attackers from developing reliable exploits.

Remediation

Apply security updates from Microsoft addressing CVE-2026-42981 for your specific Windows 11 version and Windows Server operating system. Verify available patches against the official Microsoft Security Update Guide and deploy to all affected systems. Prioritize servers and internet-facing systems. Until patches are available or deployed, monitor for suspicious Performance Monitor process activity and restrict network access to trusted sources where feasible.

Patch guidance

Consult the official Microsoft Security Update Guide (support.microsoft.com/en-us/help) for CVE-2026-42981 to identify the specific KB article and patch version applicable to your Windows 11 build (23H2, 24H2, 25H2, 26H1) or Windows Server release (2022, 2025). Test patches in a controlled environment before production deployment. Windows Automatic Update should eventually deliver the patch; organizations with deferred or manual update processes should initiate patching within the next update cycle.

Detection guidance

Monitor Event Viewer for abnormal Performance Monitor (perfmon.exe, perfmon.msc) process execution, unexpected network connections initiated by Performance Monitor or related system processes, and privilege escalation events following suspicious perfmon activity. Implement application whitelisting or Windows Defender Application Control policies to restrict unauthorized execution of system tools. Network-based detection should flag suspicious inbound connections targeting Windows Performance Monitor services if exposed. Query endpoint detection and response (EDR) platforms for signals related to integer overflow/underflow exploitation patterns or code execution from monitoring components.

Why prioritize this

This vulnerability merits high-priority patching because it combines network-based attack capability, no authentication requirement, and high impact (confidentiality, integrity, and availability compromise). Although not yet publicly exploited, the low barrier to attack (no user interaction) means the window for exploitation before widespread adoption of patches is material. Windows Server systems and internet-facing Windows 11 machines should be treated as critical; internal-only systems can follow standard patching timelines.

Risk score, explained

The CVSS 3.1 score of 8.1 (HIGH) reflects: (1) Network accessibility (AV:N) — attackers need no physical access; (2) No prior authentication required (PR:N); (3) No user interaction needed (UI:N); (4) High impact to confidentiality, integrity, and availability (C:H/I:H/A:H) — successful exploitation grants full system compromise. The 'High' complexity (AC:H) moderates the score and acknowledges that specific conditions may be required to trigger the underflow, reducing the immediate threat to a theoretical maximum but not eliminating it.

Frequently asked questions

Could my Windows 11 or Windows Server system be vulnerable even if I don't use Performance Monitor directly?

Yes. Performance Monitor is a built-in Windows component that runs at the system level and can be invoked programmatically by other software and system services. Even if you do not manually launch the Performance Monitor graphical interface, the underlying code may be reachable through network-based calls or automated service activity. All users on affected Windows versions should be considered at risk.

What is an integer underflow, and why does it lead to code execution?

An integer underflow occurs when a mathematical operation produces a result smaller than the smallest representable value in an integer data type, causing the value to wrap around to a very large number. Attackers exploit this by crafting inputs that cause such wraparound, potentially allowing them to write data to unintended memory locations or bypass size checks. If the wraparound leads to incorrect memory allocation, bounds checking, or pointer arithmetic, it can enable code execution.

Is there a workaround if I cannot patch immediately?

Workarounds are limited because Performance Monitor is a core Windows component. Network segmentation to restrict untrusted access, disabling remote access to Performance Monitor APIs (if not required), and deploying network intrusion prevention signatures specific to exploitation attempts offer partial mitigation. However, patching remains the definitive fix. Prioritize patching high-risk systems within days rather than weeks.

Why is this vulnerability marked as not in the KEV catalog?

The CISA Known Exploited Vulnerabilities catalog includes only those vulnerabilities for which CISA has confirmed active, in-the-wild exploitation by threat actors. As of the vulnerability's publication and last update, there is no evidence of widespread public exploitation. This does not mean the vulnerability is not exploitable—only that no organized threat campaigns have been reliably observed targeting it yet.

This analysis is provided for informational purposes and reflects vulnerability data as of the publication date. Patch availability, exploitation status, and threat landscape evolve; organizations should verify current patch status against official vendor advisories and monitor security feeds for updates. SEC.co does not provide exploit code or weaponizable details. Testing patches before production deployment is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).