Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft PowerToys allows an authenticated low-privileged user on a Windows system with PowerToys installed to elevate to higher privileges by abusing an improper authorization check (CWE-285). The flaw requires existing local access and low-level credentials, with no public exploit identified at time of analysis and no CISA KEV listing. Successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.
Technical ContextAI
Microsoft PowerToys is a Microsoft-published collection of system utilities for Windows power users (e.g., FancyZones, PowerToys Run, Keyboard Manager) that runs with components capable of interacting with elevated contexts. The root cause is classified as CWE-285 (Improper Authorization), meaning a PowerToys component fails to correctly verify that the calling user is permitted to perform a privileged action, enabling a lower-privileged caller to invoke functionality reserved for higher-privileged users. The MSRC advisory (CVE-2026-42902) is the sole referenced source and does not disclose which specific PowerToys module contains the flawed authorization check.
RemediationAI
Apply the fixed Microsoft PowerToys release referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42902 as the primary remediation; a specific patched version is not enumerated in the provided data, so the patch status is best described as patch available per vendor advisory. As compensating controls until patching is complete, uninstall PowerToys from systems where it is not actively required (trade-off: removes productivity utilities relied on by developers), restrict local interactive logon on sensitive endpoints to trusted administrators via Group Policy (trade-off: may break shared workstation workflows), and monitor endpoint telemetry for unexpected child processes or token elevation originating from PowerToys binaries (trade-off: requires EDR tuning to avoid noise from legitimate PowerToys usage).
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35659
GHSA-7vhg-93p3-4hvq