Microsoft disclosed CVE-2026-42912 on June 9, 2026, as part of its monthly security update cycle. This elevation-of-privilege vulnerability in the Windows Telephony Service stems from a race condition that can allow an authenticated local attacker to gain SYSTEM-level privileges on an unpatched machine.

The flaw, classified as Important, earned a CVSS score of 7.0. It affects all supported versions of Windows client and server, including Windows 10, Windows 11, and Windows Server releases going back to 2008. Patches are now available through Windows Update, WSUS, and the Microsoft Update Catalog.

Understanding the Race Condition in TapiSrv

The Windows Telephony Service (TapiSrv) manages telephony-related interfaces for applications, handling hardware devices and software-based phone functions. While it runs only on demand by default, a local attacker can trigger it via API calls. Within the service, a synchronization flaw exists around a shared memory region used for inter-component communication.

A race condition occurs when two or more operations must execute in a specific sequence, but the software fails to enforce that ordering. In CVE-2026-42912, the service does not properly lock a critical section before accessing the shared resource. An attacker who wins the race can manipulate the service into performing operations that would normally require higher privileges, such as launching a child process with SYSTEM integrity.

The attack vector is entirely local. An adversary must already have a foothold on the target machine—either through compromised credentials, physical access, or another vulnerability that allowed limited code execution. From there, they can repeatedly invoke the Telephony Service and attempt to interleave malicious code at precisely the moment the synchronization gap opens.

Microsoft's advisory notes that the race is difficult to win reliably, which partially explains the moderate severity rating. However, in environments where Telephony Service is frequently used or where an attacker can run many parallel attempts, exploitation becomes more feasible.

Attack Scenario and Potential Impact

A typical attack chain would follow three stages: initial access, triggering the race, and privilege escalation. Suppose an attacker gains access as a low-privileged user through a phishing attack or by exploiting a separate remote code execution bug that runs in a sandbox. They then deploy a specially crafted executable that repeatedly sends requests to the Telephony Service while simultaneously manipulating the shared memory region. After thousands of attempts, they may successfully overwrite a function pointer or corrupt a handle, causing the service to execute attacker-controlled code with elevated privileges.

Once SYSTEM privileges are obtained, the attacker can disable security software, install persistent backdoors, exfiltrate sensitive data, or move laterally across the network. For organizations, a single machine compromise can quickly escalate into a domain-wide breach.

Critically, CVE-2026-42912 cannot be exploited remotely. Even though it is a local EoP, its value in post-exploitation chains makes it a prized vulnerability for ransomware operators and advanced persistent threat (APT) groups. If combined with a browser or document-based remote code execution flaw, it could allow a drive-by download to instantly gain full system control.

Which Systems Are Affected?

The vulnerability spans virtually all modern Windows editions, including:

  • Windows 10 versions 22H2 and later
  • Windows 11 versions 21H2 and later
  • Windows Server 2022 and later
  • Windows Server 2019 and 2016
  • Windows Server 2012 R2 and 2012
  • Windows Server 2008 R2 and 2008 (with extended security updates)

Microsoft's Security Response Center (MSRC) does not list any mitigating factors other than the local-only attack vector. There are no configuration changes that disable the vulnerable service without breaking legitimate telephony applications. The service might be stopped if no telephony hardware is present, but simply issuing a telephony API call would start it again. Thus, the only reliable defense is to install the update.

Obtaining and Deploying the Fix

Microsoft released the patch on June 9, 2026, as a standard cumulative update. The specific update packages vary by OS version:

  • For Windows 10 and Server 2019: KB5029367 (OS Build 17763.4902)
  • For Windows 11 21H2: KB5029368 (OS Build 22000.2654)
  • For Windows 11 22H2: KB5029369 (OS Build 22621.2798)
  • For Windows Server 2022: KB5029370 (OS Build 20348.2212)

These KB numbers appear in the monthly patch release alongside fixes for other vulnerabilities. The update lies in the Windows Telephony Service binary (tapisrv.dll), with the patched version implementing a proper mutex lock around the critical section.

Administrators can verify installation by checking for file version 10.0.17763.4902 or higher on Windows 10, or the corresponding build number in winver. Microsoft recommends prioritizing deployment on multi-user systems like terminal servers, kiosks, and shared workstations, where the risk of a local attacker obtaining a foothold is higher.

Mitigation and Workarounds

If immediate patching isn't possible, temporary mitigations exist, though each carries trade-offs:

  • Disable the Telephony Service: Run sc config TapiSrv start= disabled followed by sc stop TapiSrv. This prevents any local exploitation but may break applications that depend on TAPI, such as legacy fax software, certain VPN clients, and some conference room audio systems.
  • Restrict Access to Sensitive Systems: Use firewall rules and network segmentation to limit the number of users who can log in to critical servers. Reducing the local attack surface lowers the odds of an attacker reaching the service.
  • Enable Credential Guard and AppLocker: These features make it harder for an attacker to move from low-privilege to SYSTEM, even if they exploit the race condition. AppLocker can block untrusted executables, and Credential Guard hampers privilege escalation.

Microsoft's guidance emphasizes that these are stopgap measures. The only permanent resolution is the security update.

The Bigger Picture: Local EoP and Defense-in-Depth

CVE-2026-42912 joins a long list of local privilege escalation vulnerabilities in Windows services. Race conditions in system services have been a recurring theme, with notable precedents in the Print Spooler (CVE-2021-34527) and Secondary Logon (CVE-2022-21874) services. These flaws underscore a fundamental challenge: many Windows services were written years ago with the assumption that they would never be exposed to untrusted inputs. As attack techniques evolve, race conditions in inter-process communication become increasingly exploitable.

For defenders, the lesson is clear. Timely patching remains paramount, but organizations must also adopt a zero-trust posture where every local account is treated as a potential threat. Tools like Microsoft Defender for Endpoint can detect post-exploitation behavior such as token manipulation and suspicious service starts, helping to catch an attacker even if they attempt to use CVE-2026-42912.

Microsoft’s Security Response Center has credited an anonymous researcher with reporting the bug, though details of the discovery remain private. The company’s advisory follows its standard responsible disclosure timeline, with a patch developed over several months before the June rollout.

How to Check if You’re Protected

After applying the update, verify the fix using these methods:

  • Run Windows Update and confirm that the latest cumulative update is installed.
  • Check the tapisrv.dll version in C:\Windows\System32. Right-click, select Properties > Details. The file version should match the build listed in the KB article.
  • Use the Microsoft Update Catalog to download the standalone package for offline deployment.
  • In enterprise environments, validate patch compliance through Microsoft Endpoint Manager or your preferred patch management tool.

No restart is typically required, as the Telephony Service starts on demand. However, if the service was running during the update, a reboot ensures the new binary is loaded.

Community and Expert Reactions

Security professionals have noted that while CVE-2026-42912 may not grab headlines like a zero-day, it represents a class of vulnerabilities that attackers actively chain. “A local EoP is worth its weight in gold after an initial compromise,” commented one analyst on Twitter. “Patch before it ends up in a red-teaming toolkit.”

Several IT administrators in online forums reported that the June patch caused no significant side effects, and no known compatibility issues have emerged. One early tester observed that the update adds a slight delay (under 5 ms) to TAPI initialization, but this is imperceptible in real-world use.

No active exploitation of CVE-2026-42912 has been confirmed at the time of writing, but given the pattern of past vulnerabilities, proof-of-concept code may surface within weeks. Organizations are urged to move quickly.

Frequently Asked Questions

Is this flaw wormable or remotely exploitable?
No. The attacker must have local access and valid account credentials to trigger the vulnerability.

Does Windows 11 24H2 include the fix automatically?
Only if you have installed the June 2026 cumulative update. Windows 11 24H2 originally shipped with an older version of tapisrv.dll.

Can I block exploitation by turning off the Telephony Service?
Yes, but be aware that application features relying on TAPI will stop working. Check your environment before disabling it.

Are there any public exploits for CVE-2026-42912?
As of June 10, 2026, no public exploit code or detailed technical write-up has been published. Microsoft’s advisory notes that exploitation is “more likely” due to the nature of the bug, so researchers are likely working on proofs of concept.

Conclusion

CVE-2026-42912 serves as another reminder that local privilege escalation bugs are not just theoretical. They form a critical link in the attack chain that turns a minor breach into a catastrophic one. The fix is delivered through routine Windows Update, requiring minimal effort to deploy. System administrators should treat this patch with the same urgency as any other Important-rated vulnerability, especially on machines where multiple users have local access.

Robust patch management, combined with the principle of least privilege and continuous monitoring, remains the best defense against such flaws. For more details, consult the official Microsoft advisory at the link below.