Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Windows Performance Monitor enables unauthenticated network attackers to execute arbitrary code by triggering an integer underflow condition in the component's data handling logic. The flaw carries a CVSS score of 8.1 with high attack complexity, and while no public exploit identified at time of analysis, the SSVC assessment rates technical impact as total. Microsoft has released a patch via MSRC, and the issue is also tracked in VulDB entry 369628.
Technical ContextAI
Windows Performance Monitor (PerfMon) is a built-in Windows administrative tool used for collecting and analyzing system performance counters, event traces, and configuration data from local and remote systems. The root cause is CWE-191 (Integer Underflow / Wrap or Wraparound), which occurs when an arithmetic operation produces a value below the minimum representable integer, wrapping to a very large unsigned value. In this context, the underflow likely occurs during the parsing of network-delivered performance counter or configuration data, where a length or size field is decremented past zero, leading to out-of-bounds memory operations exploitable for code execution. The 'Authentication Bypass' tag in the intelligence feed combined with PR:N in the CVSS vector suggests the vulnerable code path is reachable without prior authentication to the host.
RemediationAI
Apply the Microsoft-issued security update for CVE-2026-42981 referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42981 - Patch available per vendor advisory, with exact KB/build numbers to be obtained directly from MSRC per Windows SKU. As a compensating control until patching is complete, restrict inbound network access to the Performance Monitor and related remote performance counter services (RPC endpoints, WMI, and remote registry) by blocking TCP ports 135 and 445 and the dynamic RPC range at perimeter and host-based firewalls for hosts that do not require remote performance monitoring; the trade-off is that legitimate remote monitoring tooling, centralized SCOM/PerfMon collection, and remote administration via MMC snap-ins will break, so this should be scoped to externally exposed or DMZ systems. Where remote monitoring is required, restrict the source IPs allowed to reach those RPC endpoints to a known management subnet via Windows Firewall scoping rules.
Same weakness CWE-191 – Integer Underflow
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35735
GHSA-4vf7-qxxr-9pxc