Microsoft dropped CVE-2026-42902 into the June 2026 Patch Tuesday cycle on June 9, 2026, flagging an elevation-of-privilege vulnerability in Microsoft PowerToys. The advisory moves a utility adored by Windows power users directly into the enterprise patch management queue, demanding immediate attention from IT teams.

PowerToys is an open-source suite of utilities that supercharges Windows with features like FancyZones, PowerRename, and Keyboard Manager. Its deep system integration—hooking into input processing, file operations, and window management—creates a broad attack surface. When a tool with this level of access carries an elevation-of-privilege flaw, the risk pivots from a niche annoyance to a full-blown security incident waiting to happen.

What Makes CVE-2026-42902 Dangerous

Microsoft’s advisory classifies the vulnerability as “Elevation of Privilege” and “Important” severity. Attackers who successfully exploit CVE-2026-42902 can escalate from a low-integrity process to SYSTEM-level rights. That means a compromised user account—or a malicious script running with limited permissions—could hijack the entire machine.

Elevation-of-privilege bugs are the backbone of modern cyberattack chains. Adversaries use them to break out of sandboxes, disable security tools, and deploy ransomware without user interaction. In the context of PowerToys, an exploit might arrive through a malformed settings file, a poisoned shortcut, or a crafted keyboard remapping profile. The utility’s Always On Top, Awake, or PowerToys Run components—each interacting with system-level hooks—present multiple entry points.

Microsoft hasn’t disclosed whether the vulnerability is publicly known or already under active exploitation. The advisory’s “Exploitation Less Likely” assessment offers cold comfort; that rating often flips once proof-of-concept code circulates. Security teams should treat this as a potential zero-day precursor.

Patch Deployment and Patching Strategy

Microsoft released an updated version of PowerToys that fully addresses CVE-2026-42902. The patched release is v0.90.1, available through the Microsoft Store, GitHub releases, or winget. Organizations using enterprise deployment tools must validate that every instance of PowerToys is updated to this version or later.

Critical deployment steps:

  • Identify all endpoints where PowerToys is installed. This utility often slips into environments through developer workstations, IT admin toolkits, or user-driven installations. Shadow IT can easily mask its presence.
  • Block outdated versions with AppLocker or Windows Defender Application Control (WDAC) until the patch is applied. Create a rule that denies execution of PowerToys.exe with a file version below 0.90.1.0.
  • Prioritize workstations over servers. PowerToys is a desktop productivity tool; server instances are unusual but should be checked nonetheless.
  • Test upgrades on a representative sample before broad rollouts. PowerToys updates can occasionally conflict with other shell extensions or GPU-accelerated utilities.

Microsoft has not provided a manual workaround. The only remediation is installing the patched version. Security-only micro-patches are not available for this utility, so a full upgrade is mandatory.

Inventory Detection: PowerShell and SCCM Scripts

IT administrators need a reliable way to scan the entire estate for vulnerable PowerToys installations. The following PowerShell snippet queries the installed version from the Windows registry and reports any build earlier than 0.90.1:

$minimumVersion = [System.Version]"0.90.1"
$keyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*",
            "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
$vulnerable = @()

foreach ($path in $keyPath) {
    $apps = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like "*PowerToys*" }
    foreach ($app in $apps) {
        if ($app.DisplayVersion) {
            $ver = [System.Version]$app.DisplayVersion
            if ($ver -lt $minimumVersion) {
                $vulnerable += [PSCustomObject]@{
                    ComputerName = $env:COMPUTERNAME
                    DisplayName   = $app.DisplayName
                    Version       = $app.DisplayVersion
                    UninstallString = $app.UninstallString
                }
            }
        }
    }
}

if ($vulnerable.Count -gt 0) {
    $vulnerable | Export-Csv -Path "C:\Temp\PowerToys_Vulnerable.csv" -NoTypeInformation
    Write-Host "Found $($vulnerable.Count) vulnerable instances. Exported to CSV."
} else {
    Write-Host "No vulnerable PowerToys installations detected."
}

For SCCM environments, create a baseline configuration item that checks the file version of PowerToys.exe in the default installation directory (%ProgramFiles%\PowerToys) and compares it to 0.90.1.0. Non-compliant machines should trigger a collection membership for automated remediation.

The Wider PowerToys Security Context

This isn’t PowerToys’ first dance with the Microsoft Security Response Center. The utility’s GitHub repository shows a steady trickle of security fixes over the years, though most were rated Low or Moderate. CVE-2026-42902 stands out because of its privilege escalation potential and the product’s pervasive use in developer and IT professional circles.

PowerToys is more than a casual download. Enterprises often standardize on FancyZones for window management on ultrawide monitors or PowerRename for bulk file operations. Every such adoption expands the vulnerability footprint. Executive dashboards rarely list PowerToys in the software inventory, yet a single exploitable instance can open the door to lateral movement and credential theft.

Microsoft’s decision to issue a CVE—rather than simply fixing the bug in a routine update—underscores the severity. CVEs trigger a formal risk management response in most organizations: risk assessments, change control boards, and executive reporting. The psycholocigal impact of a CVE versus a silent patch pushes security teams to act.

How to Audit PowerToys Usage Before and After Patching

Beyond version detection, security teams should measure the actual usage of PowerToys components in their environment. This data helps justify the patch urgency and identifies high-risk user profiles.

Usage audit approach:

  1. Event log analysis: PowerToys Run logs keyword searches in Windows Event Log under Applications and Services Logs > Microsoft > Windows > PowerShell > Operational. Although not a first-party log, certain PowerToys modules generate telemetry when invoked.
  2. Process creation auditing: Enable Event ID 4688 and filter for PowerToys.* executables. Track which users launch PowerToys Awake, ColorPicker, or Video Conference Mute over a typical work week.
  3. Registry snapshots: Some PowerToys modules store configuration in HKEY_CURRENT_USER\Software\Microsoft\PowerToys. The number of subkeys and values often correlates with active usage.
  4. Network connections: PowerToys Run’s plugin for web search establishes outbound HTTP connections. Monitor firewall logs for non-standard browser processes making such requests.

These audits serve a dual purpose: they inform the patching priority (someone who runs PowerToys daily faces higher exposure) and they create a baseline that can detect abnormal behavior post-patch if the vulnerability was previously exploited.

Response Timeline and Communications

Organizations operating under a defined vulnerability management policy should execute the following actions within the indicated SLAs:

Timeframe Action
0–24 hours Distribute initial advisory to IT teams. Begin automated inventory scans.
24–72 hours Deploy patch to all workstations where PowerToys is installed. Enforce version control via GPO or management tool.
72 hours–1 week Complete remediation for any outlier devices. Conduct post-patch validation scan.
1 week–2 weeks Perform forensic review of high-value assets to detect prior exploitation attempts (log analysis for suspicious PowerToys activity before patch).

Communication with end users should be straightforward: “An important security update for PowerToys is mandatory. The application will be updated automatically overnight. Please restart your computer in the morning to complete the installation.” Avoid leaking technical details that could aid attackers before the patch saturates the environment.

Risk Mitigation if Patching Is Delayed

For the rare case where an immediate patch is impossible—legacy application compatibility, change freeze, or overseas offline systems—apply these compensating controls:

  • Restrict PowerToys execution to authorized users via AppLocker path rules. Only allow membership in a dedicated security group.
  • Disable specific vulnerable modules if the vendor provides runtime flags. Historically, PowerToys settings stored in settings.json can toggle modules. Focus on Always On Top, PowerToys Run, and Keyboard Manager if the CVE hints at those vectors.
  • Monitor for unexpected child processes spawned by PowerToys. Use Sysmon to log Image: PowerToys.exe events and alert when it launches cmd.exe, powershell.exe, or other suspicious offspring.
  • Implement network segmentation that restricts the device’s ability to make lateral RPC or SMB connections until patching completes.

These are stopgaps, not solutions. The only permanent fix is updating to v0.90.1 or later.

Lessons for Software Supply Chain Hygiene

CVE-2026-42902 reinforces a discipline that many Windows shops ignore: maintaining an inventory of “power user” tools. These utilities occupy a gray zone between sanctioned enterprise software and personal productivity tweaks. They rarely appear in procurement records, yet they often receive SYSTEM-like trust.

Recommendations for preventing blind spots:

  • Include PowerToys in your standard software catalog with approved versions, even if it’s an optional deploy. This ensures patch management tools recognize it.
  • Leverage winget for centralized updates. Winget can be scripted via winget upgrade Microsoft.PowerToys and integrated into Microsoft Intune or other UEM platforms.
  • Enable auto-update in PowerToys settings, but verify the setting regularly through compliance policies—users can disable it.
  • Treat open-source utilities with the same scrutiny as commercial software. Check for CVEs, maintenance activity, and signed binaries before broad adoption.

The episode also highlights the value of Microsoft’s decision to issue CVEs for PowerToys. In earlier eras, a vulnerability in a utility might only appear in a GitHub release note, invisible to risk management frameworks. Now, it flows into the same patch pipeline as Windows OS flaws, ensuring board-level visibility.

The Bottom Line

CVE-2026-42902 is not the loudest vulnerability in June’s Patch Tuesday—remote code execution and zero-days steal headlines—but its quiet reach into the daily toolkit of your most technical users makes it a stealthy accelerator for broader compromise. Patch it immediately. Verify every endpoint. Audit for prior signs of misuse. And then revisit your software inventory policy so the next PowerToys CVEs doesn’t catch you off guard again.