Microsoft disclosed a security feature bypass vulnerability in Windows 11’s Administrator Protection on June 9, 2026, issuing patches for all supported versions. Tracked as CVE-2026-42829, the flaw carries an Important severity rating and could allow attackers to sidestep a critical safeguard that prevents stealthy administrative actions. The updates land on the June 2026 Patch Tuesday, with KB5094126 addressing Windows 11 24H2 and KB5095051 covering 25H2 and the freshly released 26H1.

Administrator Protection forms a last-mile defense against privilege escalation. Introduced with 24H2, it forces explicit consent for any operation requiring admin rights—even when a user already runs with an administrator token. Think of it as sudo for Windows, but integrated directly into the kernel’s security boundaries. Without it, malware that tricks a user into clicking a rigged installer can quietly wield full system control. CVE-2026-42829 tears a hole in that barrier.

Microsoft hasn’t published technical details of the bypass mechanism, a standard practice to prevent exploitation while enterprises roll out fixes. What’s clear is that the vulnerability undermines the security boundary Microsoft describes as a “first line of defense” in its Admin Protection documentation. Attack scenarios likely involve a local, authenticated actor—someone who already has a foothold on the machine—leveraging the bug to perform administrative tasks without triggering the consent prompt. That turns a minor breach into a complete system compromise in seconds.

A deeper look at CVE-2026-42829

CVE-2026-42829 is classified as a Security Feature Bypass. In the Common Weakness Enumeration lexicon, it falls under CWE-254 (Security Features). The exploitation metrics are still under wraps, but the impact is clear: a bypass of Admin Protection renders one of Windows 11’s marquee security features useless. The attack vector is local, meaning an attacker must already have code execution on the target machine—through a malicious document, a compromised application, or social engineering. Once inside, they can chain this bypass with other exploits to seize full control without the user ever seeing a warning.

Microsoft’s severity rating of Important—not Critical—reflects the requirement for local access. However, in practice, local privilege escalation bugs are the bread and butter of ransomware gangs and state-sponsored actors. When combined with a remote code execution flaw, the gap between Important and Critical vanishes. This makes CVE-2026-42829 a high-priority update for any organization that relies on Admin Protection to harden endpoints.

The disclosure arrives exactly on Patch Tuesday, following a coordinated vulnerability disclosure timeline. The researcher who reported the flaw remains unnamed in Microsoft’s advisory, but the company’s acknowledgment suggests a responsible disclosure process that allowed engineering teams to build and test the fixes without public pressure.

Inside Windows Administrator Protection

To understand the gravity of the bypass, you have to appreciate what Administrator Protection does. Prior to Windows 11 24H2, the operating system relied on User Account Control (UAC) to gate administrative operations. UAC pops a prompt, but it operates within the user’s session and can be weakened by group policies or user habit (clicking Yes reflexively). Malware frequently abuses token manipulation and COM elevation to bypass UAC entirely.

Administrator Protection, based on the newer Windows security model known as Adminless, shifts the paradigm. When enabled, even users in the Administrators group run with a standard user token by default. Any request for elevation switches the process to an isolated, hidden admin account with a dedicated token. That switch must be explicitly approved via a secure dialogue that runs in a separate, hardened session—akin to how Windows Hello prompts operate. The consent dialogue cannot be automated, simulated, or dismissed by sending keystrokes, making it resistant to UI manipulation attacks.

The feature was optional in 24H2 but Microsoft pushed it harder in 25H2, enabling it by default on Pro and Enterprise SKUs during clean installs. With 26H1, it becomes the standard experience even for home users. This progressive rollout signaled Microsoft’s confidence that Admin Protection could finally shrink the attack surface that UAC left open for over a decade.

CVE-2026-42829 spotlights a scenario where that confidence may have been premature. A bypass allows an attacker to switch to the hidden admin token without triggering the consent prompt, effectively giving them high-integrity access silently. Whether the bug lives in the kernel’s token switching logic, the consent broker, or the app isolation layer is unknown, but any path that skirts the prompt defeats the purpose of the entire feature.

Which versions are affected and how to patch

Every currently supported Windows 11 edition with Administrator Protection enabled is in the line of fire. That includes:

  • Windows 11 24H2 (the original release)
  • Windows 11 25H2 (the mid-cycle feature update)
  • Windows 11 26H1 (the annual feature update, now shipping on new devices)

Older Windows 11 releases (21H2, 22H2, 23H2) do not contain Administrator Protection and are not affected by this CVE. Windows 10, regardless of version, is similarly immune.

The fixes arrive in two cumulative updates:

Version Update KB
Windows 11 24H2 KB5094126
Windows 11 25H2 & 26H1 KB5095051

Both are mandatory security updates distributed through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. Organizations using patch management tools like Microsoft Intune or ConfigMgr can push these updates immediately. After installation, a reboot is required. The updates bring the 24H2 build to 26100.xxxx (specific build number not yet public as of advisory) and the 25H2/26H1 builds to 26200.xxxx.

Microsoft recommends that all users enable automatic updates and verify installation by checking for KB5094126 or KB5095051 in Update History. For home users, the patches will download and install during regular maintenance windows. Enterprise admins should prioritize deployment to high-value assets—executive laptops, finance workstations, and servers running Windows 11 with Admin Protection—within 24 hours.

Side effects and known issues

As with many cumulative updates, the June patches roll up previous fixes and carry a small risk of side effects. Microsoft’s known issues list at the time of release contains no new entries specific to these KBs, but administrators should monitor the usual suspects: print spooler hiccups on certain Canon and Kyocera drivers, authentication failures on devices with smart card readers using non-standard middleware, and rare boot failures on systems with heavily customized system firmware. All were observed in prior 2026 cumulative updates and may reappear.

One notable change in KB5095051: the update also forces an Administrator Protection health check after patching. This check verifies that the consent dialogue renders correctly and that the token switch executes within expected time thresholds. If the check fails, the update will roll back automatically—a safeguard Microsoft introduced after a botched Defender update bricked machines in early 2026.

Historical context: the privilege escalation arms race

Bypassing admin confirmation prompts is a storied tradition in Windows security research. UAC bypasses, once a staple of every exploit toolkit, taught Microsoft that convenience always trumps security if prompts are too frequent. Admin Protection tried to square that circle by making prompts rarer and harder to bypass. CVE-2026-42829 suggests that the arms race isn’t over.

In 2025, a similar bypass (CVE-2025-31129) was found in the Windows Secure Kernel Mode Elevation channel, though that required a kernel pool corruption as a prerequisite. The 2026 flaw appears to be less complex—requiring only local code execution—which makes it more dangerous despite the Important tag. Red teamers and penetration testers will undoubtedly weaponize the technique once details leak.

What sets this apart is the widespread adoption of Admin Protection. By mid-2026, Microsoft estimates that over 60% of Windows 11 enterprise seats have the feature enabled. That’s a massive target surface, dwarfing earlier UAC hardening efforts. If an exploit chain emerges, the blast radius could rival the PrintNightmare saga of 2021.

Defensive measures beyond patching

Patching remains the definitive fix, but defense-in-depth strategies can reduce risk until updates are applied:

  • Confirm Admin Protection status: Launch the Windows Security app, navigate to Device Security > Administrator Protection, and verify that the feature is toggled on. If it’s off, the CVE is irrelevant for that machine—but turning it on after patching is still recommended.
  • Application control policies: Windows Defender Application Control and AppLocker can restrict which binaries execute, making it harder for an attacker to run the exploit payload in the first place.
  • Least-privilege user accounts: In corporate environments, remove users from the local Administrators group. With Admin Protection, they can still elevate when needed, but the baseline token remains standard, reducing the attack surface.
  • Enable Attack Surface Reduction rules: Microsoft Defender for Endpoint rules such as “Block process creations originating from PSExec and WMI commands” can hinder lateral movement after exploitation.
  • Monitor for suspicious admin activity: Event ID 4625 (failed logon) and 4672 (special privileges assigned) in the Security log can signal that someone is fishing for elevated tokens. Pair with SIEM tools for alerting.

These measures don’t close the hole but raise the bar, forcing attackers to chain more vulnerabilities and increasing the chance of detection.

What this means for Windows 11’s security roadmap

Microsoft has bet heavily on zero-trust principles and kernel isolation. Admin Protection, Hypervisor-Protected Code Integrity, and the shift toward Rust in the Windows kernel all aim to cut the legs out from under privilege escalation attacks. Yet every major Windows release still ships with at least one security feature bypass. It’s a reminder that complexity is the enemy of security, and Windows is a monument to complexity with three decades of legacy code.

CVE-2026-42829 will likely accelerate the internal migration to memory-safe languages for the consent broker components. Microsoft open-sourced parts of the Admin Protection stack in 2025 under the MIT license, inviting community scrutiny. That transparency may have helped identify this flaw—or it may have guided attackers to it. Either way, the fix landed quickly, and no in-the-wild exploitation has been reported before the patch.

The real test will be whether enterprise customers lose faith in Admin Protection and revert to UAC with all its weaknesses. Microsoft must convince them that this is a bump in the road, not a fundamental design flaw. A CVE doesn’t necessarily mean the architecture is broken; sometimes it’s a logic error in an otherwise sound barrier. The response to this disclosure—transparent, quick, and integrated into the normal Patch Tuesday rhythm—suggests Microsoft knows the stakes.

For now, Windows 11 users should install KB5094126 or KB5095051 without delay. The consent prompt you never see could be the one that hands your machine to an attacker.