CVE-2026-42987: Windows Deployment Services Remote Code Execution Vulnerability
CVE-2026-42987 is a use-after-free memory vulnerability in Windows Deployment Services (WDS) that allows an attacker to execute arbitrary code on vulnerable servers over the network without authentication or user interaction. The vulnerability affects multiple Windows Server versions and has a CVSS score of 8.1 (HIGH severity), indicating a significant risk to organizations relying on WDS for operating system deployment.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Windows Deployment Services allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability exploits a use-after-free condition (CWE-416) in Windows Deployment Services. Use-after-free flaws occur when a program references memory that has already been freed, allowing an attacker to overwrite or manipulate that memory to achieve code execution. The attack vector is network-based, requires high complexity to exploit, and does not require user interaction or elevated privileges. The impact spans confidentiality, integrity, and availability, meaning successful exploitation could lead to data theft, system compromise, and denial of service.
Business impact
Compromise of WDS infrastructure enables attackers to intercept or modify operating system deployment processes. This can result in widespread deployment of compromised systems across enterprise environments, persistent system access, intellectual property theft, and operational downtime. Organizations using WDS for large-scale OS deployments face particular risk, as a single successful exploit could compromise multiple systems during the deployment lifecycle.
Affected systems
The vulnerability affects Windows Server 2012, 2016, 2019, 2022, and 2025. Organizations running Windows Deployment Services on any of these platforms should prioritize assessment. Windows Server 2012 reached extended support end-of-life in 2023, so patches may not be available; customers should consider migration or network isolation strategies for those systems.
Exploitability
While the vulnerability requires high technical complexity to exploit (indicated by the AC:H vector parameter), it is network-accessible and requires no authentication or user interaction. The vulnerability is not currently documented in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation has not yet been widely observed; however, this does not indicate low risk. The memory corruption nature of the flaw means exploit development is feasible for skilled adversaries, and WDS exposure on internal networks increases attack surface.
Remediation
Apply security patches from Microsoft as soon as they become available for your affected Windows Server versions. Organizations unable to immediately patch should reduce attack surface by restricting network access to WDS servers, disabling WDS where not actively used, and implementing network segmentation to limit lateral movement if compromise occurs. Verify patching status against the official Microsoft security bulletin before returning systems to production.
Patch guidance
Consult the Microsoft Security Update Guide and the relevant Windows Server security bulletins for CVE-2026-42987 to identify and deploy the appropriate patches for your environment. Test patches in a non-production environment first, particularly if your organization relies heavily on WDS for deployment automation. Document patch deployment dates and verify successful application across all affected servers. Organizations running unsupported Windows Server 2012 should contact Microsoft support or plan migration to a supported version.
Detection guidance
Monitor WDS services for unexpected crashes or restarts, which may indicate exploitation attempts or successful compromise. Enable Windows Event Viewer logging for the Windows Deployment Services component and review for abnormal activity or error conditions. Network intrusion detection systems should be configured to alert on suspicious traffic to WDS service ports. Consider deploying endpoint detection and response (EDR) solutions on WDS servers and connected systems to detect code execution anomalies. Establish a baseline of normal WDS communication patterns to aid in identifying deviations.
Why prioritize this
This vulnerability merits high prioritization due to its network-accessible attack vector, code execution impact, and broad Windows Server version coverage. The high CVSS score reflects the severity of potential compromise. Although currently not in the KEV catalog, the combination of no authentication requirement and widespread infrastructure dependency makes this a strong candidate for active exploitation. Rapid patching minimizes the window of exposure.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects an attack that is network-accessible (AV:N) without requiring credentials or user interaction (PR:N/UI:N), but does require elevated attack complexity (AC:H). The full impact across confidentiality, integrity, and availability (C:H/I:H/A:H) underscores the severity of successful exploitation. The lack of scope change (S:U) means the vulnerability does not cross isolation boundaries, but the overall profile indicates a serious and readily exploitable condition if the technical hurdle is cleared.
Frequently asked questions
Why is this marked HIGH severity when it requires high attack complexity?
Attack complexity refers to the technical skill and effort needed to craft an exploit, not the likelihood of real-world attacks. Use-after-free flaws in widely deployed infrastructure like WDS are attractive targets for well-resourced threat actors. Once a working exploit is developed, deployment becomes routine, and the lack of authentication requirements lowers the barrier for attackers with network access.
Can this vulnerability be exploited from the public internet?
WDS is typically deployed on internal networks within organizational boundaries. However, any network exposure—whether direct internet-facing misconfiguration or lateral movement from a compromised system—increases exploitation risk. Even internal-only deployment should not be viewed as eliminating threat, particularly from insider threats or compromised internal systems.
My organization uses Windows Server 2012, which is out of support. What should I do?
Windows Server 2012 is in Extended Support until October 2023 (now expired) and will not receive further security patches. Prioritize migration to a supported Windows Server version, or isolate 2012 systems from the network and disable WDS where not critical. If continued operation is necessary, implement compensating controls such as strict firewall rules, network segmentation, and continuous monitoring.
How do I know if my WDS deployment has been compromised by this vulnerability?
Check for Microsoft's official patch status and apply patches immediately. Review WDS event logs for crashes, unexpected service restarts, or anomalous network connections. Use EDR tools to monitor for code execution originating from WDS processes. Consider conducting a forensic review if you suspect compromise, and isolate affected systems pending analysis.
This analysis is provided for informational purposes and reflects the vulnerability details published as of the modification date (2026-06-17). SEC.co does not guarantee the completeness or accuracy of vendor patch information; verify all patch details directly against Microsoft's official security advisories before deploying. Use-after-free vulnerabilities can be complex to remediate and exploit; consult with your security team and vendors to assess your specific risk posture. This information does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability