Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Out-of-bounds write in Windows Hotpatch Monitoring Service allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Hotpatch Monitoring Service enables an authenticated low-privileged attacker to gain elevated privileges through an out-of-bounds write (CWE-787) memory corruption flaw. The CVSS 7.8 (AV:L/AC:L/PR:L) reflects local attack vector with low complexity once a foothold is obtained, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft's own security team (secure@microsoft.com), suggesting internal discovery prior to disclosure.
Technical ContextAI
The Windows Hotpatch Monitoring Service is part of Microsoft's Hotpatch infrastructure that enables applying security updates to running processes without requiring a system restart, primarily used in Azure and Windows Server environments. The root cause is CWE-787 (Out-of-bounds Write), a memory safety flaw where the service writes data past the boundaries of an allocated buffer - typically corrupting adjacent memory structures such as function pointers, return addresses, or object headers. Because the Hotpatch service runs with elevated system privileges to manage kernel and user-mode patching operations, corruption of its memory space provides a direct path to privilege elevation. The 'Buffer Overflow, Memory Corruption' tags reinforce that this is a classic memory-safety defect rather than a logic flaw.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42910 as the primary remediation - patch available per vendor advisory, with exact build numbers to be retrieved from the MSRC update guide per affected Windows Server / Azure SKU. Because the attack requires local low-privileged access, defenders without an immediate patch window should harden local access controls: restrict interactive and remote PowerShell/RDP logon to Hotpatch-enabled hosts to administrators only, enforce LAPS-managed local accounts, and monitor for unexpected child processes spawned by the Hotpatch service (trade-off: tighter access controls may break automation accounts that rely on low-privilege local logon). If Hotpatch is not actively required, disabling the feature and reverting to scheduled-restart patching removes the attack surface entirely at the cost of patch-induced downtime.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35576
GHSA-gv67-34rh-v566