Skip to main content

Windows Push Notifications CVE-2026-42978

| EUVDEUVD-2026-35738 HIGH
Race Condition (CWE-362)
2026-06-09 secure@microsoft.com GHSA-mjxj-356g-98wq
High
Disputed · 7.8 NVD
Temporal: 6.8
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
ENISA EUVD
CRITICAL
qualitative
CIRCL (temporal)
6.8 MEDIUM
cvss

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 18:39 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) in concurrent handling of shared resources, allowing an authorized low-privileged attacker to win a timing window and elevate to higher privileges with scope change. The CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H reflects local-only exploitation with high attack complexity due to the timing-dependent nature, but a successful attacker gains full confidentiality, integrity, and availability impact across a security boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local session
Delivery
Enumerate Push Notifications IPC surface
Exploit
Trigger concurrent shared-resource operations
Execution
Win race against WpnService
Persist
Hijack privileged operation
Impact
Execute code as SYSTEM

Vulnerability AssessmentAI

Exploitation Attacker must already have an authenticated local session on the target Windows host with at least standard user privileges (PR:L) and the ability to execute code locally (AV:L); no user interaction from another account is required (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is moderate-to-high for endpoints where untrusted users have local sessions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained a low-privileged local shell on a Windows host - for example via a phishing payload or a compromised standard-user account - runs a small tool that repeatedly invokes the Push Notifications IPC interface while concurrently manipulating a shared resource the service operates on. After many timing-sensitive iterations, the attacker wins the race and causes the privileged service to act on attacker-controlled data, yielding code execution or token manipulation across a security boundary and effective SYSTEM-level control. …
Remediation Apply the Microsoft-released security update for CVE-2026-42978 as listed in the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42978 - patch available per vendor advisory, with exact KB numbers varying by Windows SKU and build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Windows systems with Push Notifications service enabled and identify business-critical assets. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy