Skip to main content

Microsoft PowerToys CVE-2026-42902

| EUVDEUVD-2026-35659 HIGH
Improper Authorization (CWE-285)
2026-06-09 secure@microsoft.com GHSA-7vhg-93p3-4hvq
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 17:39 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft PowerToys allows an authenticated low-privileged user on a Windows system with PowerToys installed to elevate to higher privileges by abusing an improper authorization check (CWE-285). The flaw requires existing local access and low-level credentials, with no public exploit identified at time of analysis and no CISA KEV listing. Successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.

Technical ContextAI

Microsoft PowerToys is a Microsoft-published collection of system utilities for Windows power users (e.g., FancyZones, PowerToys Run, Keyboard Manager) that runs with components capable of interacting with elevated contexts. The root cause is classified as CWE-285 (Improper Authorization), meaning a PowerToys component fails to correctly verify that the calling user is permitted to perform a privileged action, enabling a lower-privileged caller to invoke functionality reserved for higher-privileged users. The MSRC advisory (CVE-2026-42902) is the sole referenced source and does not disclose which specific PowerToys module contains the flawed authorization check.

RemediationAI

Apply the fixed Microsoft PowerToys release referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42902 as the primary remediation; a specific patched version is not enumerated in the provided data, so the patch status is best described as patch available per vendor advisory. As compensating controls until patching is complete, uninstall PowerToys from systems where it is not actively required (trade-off: removes productivity utilities relied on by developers), restrict local interactive logon on sensitive endpoints to trusted administrators via Group Policy (trade-off: may break shared workstation workflows), and monitor endpoint telemetry for unexpected child processes or token elevation originating from PowerToys binaries (trade-off: requires EDR tuning to avoid noise from legitimate PowerToys usage).

Share

CVE-2026-42902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy