Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged attacker to elevate to SYSTEM by triggering an integer underflow condition. With a CVSS of 7.8 and no public exploit identified at time of analysis, this issue is primarily a post-compromise escalation vector commonly chained after initial access via phishing or commodity malware. Microsoft has released a patch through MSRC, and given Windows kernel EoP bugs are frequently weaponized by ransomware and APT actors historically, prompt patching is warranted despite the absence of confirmed in-the-wild exploitation.
Technical ContextAI
The vulnerability resides in the Windows NT OS Kernel - the core ring-0 component (ntoskrnl.exe) responsible for memory management, process scheduling, and system call handling. The root cause is CWE-122 (Heap-based Buffer Overflow), here triggered through an integer underflow/wraparound: an arithmetic operation on an unsigned value produces a value larger than expected, which is then used as a size or index for a heap allocation or copy, resulting in out-of-bounds writes within kernel pool memory. The 'Buffer Overflow, Heap Overflow' tags confirm the bug manifests as a heap corruption primitive in kernel space, which when exploited successfully grants attackers arbitrary kernel read/write and full SYSTEM privileges. Specific affected Windows builds are not enumerated in the available data and must be retrieved from MSRC.
RemediationAI
Apply the Microsoft-released security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42980 - patch available per vendor advisory, though the specific KB number and exact fixed kernel build are not enumerated in the input data and must be retrieved from MSRC for each affected Windows SKU. Prioritize patching multi-user systems, terminal servers, VDI hosts, and developer workstations where untrusted local code is most likely to execute. Until patching is complete, compensating controls include restricting local logon rights to trusted accounts via Group Policy (User Rights Assignment), enforcing application allowlisting through Windows Defender Application Control or AppLocker to prevent unsigned attacker binaries from running, and enabling Microsoft Defender for Endpoint with attack surface reduction rules to detect post-exploitation kernel-mode behavior - noting that AppLocker bypasses are well-known and these controls only raise the bar rather than eliminate the vector.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35598
GHSA-jh49-99q5-mwf2