Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Windows Push Notifications service allows a local, authorized attacker to gain higher privileges on the system; the flaw stems from improper synchronization when multiple threads access a shared resource, leading to a failed privilege check that can be exploited to elevate privileges. The vulnerability is identified by CWE‑362 (Race Condition) and CWE‑416 (Use After Free). The primary effect is a local privilege escalation that could enable an attacker to run arbitrary code as SYSTEM or another privileged account, thereby compromising the confidentiality, integrity, and availability of the affected system.

Affected Systems

Microsoft Windows products from Windows 10 Version 1809 and 21H2 through Windows 11 Version 26H1, as well as Windows Server 2019, 2022, and 2025 (including Server Core installations) are impacted. All released builds of these operating systems that have not applied the vendor patch are vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 7.8 indicates that the flaw is of high severity, offering local privilege escalation without remote access prerequisites. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog, suggesting that no widespread exploitation has been documented yet. The attack requires an authorized local user to trigger parallel access to the Push Notifications resource; if such conditions exist and the system is not patched, exploitation is straightforward with existing Windows debugging or scripting tools. Given the high CVSS score, the theoretical risk remains significant for unpatched systems, especially in environments where users have local administrator privileges or where the Push Notifications service runs with elevated rights.

Generated by OpenCVE AI on June 9, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Windows security updates that address CVE‑2026‑42979 to eliminate the race condition in the Push Notifications service.
  • If an update cannot be applied immediately, disable the Windows Push Notifications service (mspushsvc) via Services.msc and ensure that any third‑party applications that trigger push notifications are quarantined or removed.
  • Verify that all user accounts have the least privilege necessary for their role, removing any local administrator rights where possible, to limit the impact of a potential local privilege escalation.

Generated by OpenCVE AI on June 9, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
Title Windows Push Notifications Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Weaknesses CWE-362
CWE-416
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows 11 26h1 Windows 11 26h1 Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2025 Windows Server 2025 (server Core Installation)
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:51:27.252Z

Reserved: 2026-04-30T23:43:50.745Z

Link: CVE-2026-42979

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:13.697

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-42979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:17Z

Weaknesses