Skip to main content

Windows Push Notifications CVE-2026-42991

| EUVDEUVD-2026-35741 HIGH
Race Condition (CWE-362)
2026-06-09 secure@microsoft.com GHSA-56p9-f9vp-94x2
High
Disputed · 7.8 NVD
Temporal: 6.8
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
ENISA EUVD
CRITICAL
qualitative
CIRCL (temporal)
6.8 MEDIUM
cvss

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 18:45 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an authenticated low-privilege user can win to gain higher privileges on the host. The CVSS 7.8 score with Scope:Changed indicates successful exploitation crosses a security boundary, impacting confidentiality, integrity, and availability of resources beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege local account
Delivery
Drop race exploit binary
Exploit
Spawn concurrent threads against WpnUserService
Execution
Win TOCTOU window on shared resource
Persist
Execute code as elevated service
Impact
Access protected resources cross-scope

Vulnerability AssessmentAI

Exploitation Attacker must already have authenticated local code execution as a low-privileged user (PR:L) on the target Windows host - this is not remotely exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate rather than critical despite the 7.8 CVSS base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid low-privilege credentials on a Windows host - for example a standard domain user on a shared workstation, a compromised service account, or a foothold gained through phishing - runs a small tool that repeatedly invokes Push Notifications APIs while a second thread manipulates the shared resource to win the race window. On a successful run, the attacker's code executes in the security context of the higher-privileged notification service, allowing them to access protected resources or stage further lateral movement. …
Remediation Apply the patch available per Microsoft Security Response Center advisory CVE-2026-42991 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42991) through standard Windows Update or WSUS channels for all affected client and server SKUs; exact fix KB numbers are listed in the MSRC entry and should be cited from that advisory rather than inferred. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Windows systems running Push Notifications service, prioritizing deployments with standard user access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy