Severity by source
Sources disagree (Medium–Critical)AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an attacker with low-privileged local access can exploit to gain higher privileges. No public exploit identified at time of analysis, and the issue is not on CISA KEV, but the CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability once the race is won. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already hold local, interactive or interactive-equivalent execution on the target Windows host as a low-privileged authenticated user (PR:L, AV:L, UI:N), and must reliably win a timing race against the Windows Push Notifications service (AC:H), which typically requires multiple attempts and may be sensitive to CPU load, core count, and scheduler behavior. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) signals a meaningful but constrained risk: an attacker must already have local code execution with low privileges and must reliably win a race (AC:H), but successful exploitation yields full system compromise across an authority boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard user on a shared Windows host - for example, an RDP jump server or a workstation already compromised by a phishing payload running as the logged-in user - launches a small tool that repeatedly triggers the vulnerable Push Notifications code path while concurrently manipulating the shared resource. After enough iterations the race is won, allowing the attacker's process to influence privileged operations and elevate to SYSTEM. … |
| Remediation | Apply the Microsoft security update referenced in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42979) corresponding to your Windows build - patch is available from the vendor, though an exact KB/build number was not provided in the input and must be taken directly from the MSRC update guide for your SKU. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct a complete inventory of Windows systems running Push Notifications service and document current patch levels. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35740
GHSA-j5xm-8fgh-w49x