Skip to main content

Windows Performance Monitor CVE-2026-42981

| EUVDEUVD-2026-35735 HIGH
Integer Underflow (CWE-191)
2026-06-09 secure@microsoft.com GHSA-4vf7-qxxr-9pxc
8.1
CVSS 3.1 · NVD
Temporal: 7.1
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.1 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 18:41 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 8.1

DescriptionNVD

Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Windows Performance Monitor enables unauthenticated network attackers to execute arbitrary code by triggering an integer underflow condition in the component's data handling logic. The flaw carries a CVSS score of 8.1 with high attack complexity, and while no public exploit identified at time of analysis, the SSVC assessment rates technical impact as total. Microsoft has released a patch via MSRC, and the issue is also tracked in VulDB entry 369628.

Technical ContextAI

Windows Performance Monitor (PerfMon) is a built-in Windows administrative tool used for collecting and analyzing system performance counters, event traces, and configuration data from local and remote systems. The root cause is CWE-191 (Integer Underflow / Wrap or Wraparound), which occurs when an arithmetic operation produces a value below the minimum representable integer, wrapping to a very large unsigned value. In this context, the underflow likely occurs during the parsing of network-delivered performance counter or configuration data, where a length or size field is decremented past zero, leading to out-of-bounds memory operations exploitable for code execution. The 'Authentication Bypass' tag in the intelligence feed combined with PR:N in the CVSS vector suggests the vulnerable code path is reachable without prior authentication to the host.

RemediationAI

Apply the Microsoft-issued security update for CVE-2026-42981 referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42981 - Patch available per vendor advisory, with exact KB/build numbers to be obtained directly from MSRC per Windows SKU. As a compensating control until patching is complete, restrict inbound network access to the Performance Monitor and related remote performance counter services (RPC endpoints, WMI, and remote registry) by blocking TCP ports 135 and 445 and the dynamic RPC range at perimeter and host-based firewalls for hosts that do not require remote performance monitoring; the trade-off is that legitimate remote monitoring tooling, centralized SCOM/PerfMon collection, and remote administration via MMC snap-ins will break, so this should be scoped to externally exposed or DMZ systems. Where remote monitoring is required, restrict the source IPs allowed to reach those RPC endpoints to a known management subnet via Windows Firewall scoping rules.

Share

CVE-2026-42981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy