Microsoft has disclosed a new elevation-of-privilege vulnerability in the Windows Push Notification service, tracked as CVE-2026-42979. Revealed on June 9, 2026, as part of this month's Patch Tuesday updates, the flaw carries a high-severity rating and could allow a local attacker to gain SYSTEM-level privileges on unpatched machines. The race condition vulnerability impacts a wide swath of supported Windows versions, including Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022.

Push notifications are a core Windows feature that delivers real-time alerts from apps and services, such as email, calendar reminders, and system messages. The service runs with elevated privileges and is a persistent target for attackers seeking to escalate their foothold on a compromised system. CVE-2026-42979 represents the latest example of a logic flaw in this critical subsystem.

How the Race Condition Enables Privilege Escalation

At its core, CVE-2026-42979 is a race condition bug that occurs when the Windows Push Notification service handles inter-process communication (IPC) requests. In a typical attack scenario, a locally authenticated but low-privileged user crafts a malicious application that fires rapid, timed requests to the push notification endpoint. By carefully synchronizing these operations, the attacker can trigger a time-of-check to time-of-use (TOCTOU) vulnerability where the service validates a resource at one point but uses it after its state has changed.

Specifically, the flaw exists in the way the service manages notification callback tokens. When a legitimate app registers for push notifications, the system allocates a token that references a memory address or object containing permission data. The race condition allows an attacker to swap the token's referenced object with a crafted one that points to sensitive memory structures. Because the service processes this token after the swap without re-verification, the attacker can trick the privileged process into writing to arbitrary memory locations.

In a successful exploit, the attacker overwrites a function pointer or return address in the service's memory space, redirecting execution to attacker-controlled shellcode. This shellcode then runs with the full SYSTEM integrity level. The result: complete compromise of the local machine without any user interaction beyond executing the exploit initially.

The complexity of such an attack is moderate – while the race window is narrow, modern exploit-development techniques like heap spraying, precise timing loops, and NtQuerySystemInformation calls can widen the window significantly. Microsoft notes that the vulnerability has not been publicly disclosed or exploited in the wild, but given the high value of local privilege escalation in malware chains, it is likely to attract attention from advanced persistent threat (APT) groups and ransomware operators.

Affected Systems and Impact

CVE-2026-42979 affects all currently supported editions of Windows that have the push notification service enabled. The full list includes:

  • Windows 10 version 21H2 and later
  • Windows 11 versions 21H2, 22H2, 23H2, and 24H2
  • Windows Server 2019 (including Server Core)
  • Windows Server 2022 (including Server Core)
  • Windows Server 2025 (affected if the Desktop Experience is installed)

Windows Server installations are at particular risk if they allow standard user logins, such as terminal servers or jump hosts. Even isolated servers running core services could be compromised if an attacker first obtains a foothold via a different vector (e.g., a phishing attack on a low-privileged admin) and then uses this exploit to pivot to full domain dominance.

The vulnerability's severity is reflected in its CVSS v3.1 score of 7.8, positioning it as a high-risk issue. While it requires local access – lowering the attack vector score – the impact on confidentiality, integrity, and availability is complete, as a successful exploit grants SYSTEM rights, effectively bypassing all security boundaries.

Patch Availability and Mitigation

Microsoft has released out-of-band security updates that address the root cause: a lack of proper lock synchronization during token validation. The fix introduces a mutex-based locking mechanism that serializes access to the shared memory region, eliminating the race window. The updates are distributed through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog.

Affected users should prioritize the following update packages based on their version:

  • Windows 10: KB5062103 (build 19045.5432)
  • Windows 11 21H2: KB5062101 (build 22000.3854)
  • Windows 11 22H2/23H2: KB5062100 (build 22621.5432 / 22631.5432)
  • Windows 11 24H2: KB5062099 (build 26100.4321)
  • Windows Server 2022: KB5062098 (build 20348.3890)
  • Windows Server 2019: KB5062102 (build 17763.7250)
  • Windows Server 2025: KB5062097 (build 26100.4321 – Desktop Experience only)

Administrators who cannot immediately patch can implement a temporary mitigation by disabling the Windows Push Notifications service. This can be achieved via Group Policy or the registry:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\WpnService" /v Start /t REG_DWORD /d 4 /f

However, disabling push notifications will break all real-time notifications from Microsoft Store apps, including calendar, mail, and messaging updates. For enterprise environments, aggressive patching is the recommended course.

Analysis: A Recurring Attack Pattern

CVE-2026-42979 continues a trend of race condition vulnerabilities in Windows system services. In the past two years, similar flaws have been found in the Windows Graphics Component (CVE-2024-30079), the Windows Kernel (CVE-2025-21421), and the Windows Telephony Service (CVE-2025-31654). These bugs often stem from the same root: legacy codebases with insufficient concurrency controls, exacerbated by the increasing speed of modern CPUs that make race windows easier to hit.

Security researchers note that the push notification service is particularly appealing because it rarely requires direct user interaction and runs in a predictable, high-integrity context. The complexity of IPC marshaling and the mix of .NET and native code in the service create edge cases where synchronization primitives can be bypassed.

The patch for this CVE is a reminder that even auxiliary services can be a gateway to full system compromise. For threat actors, chaining a remote-code execution flaw (like a browser bug) with a local privilege escalation is a standard operation. This bulletin underscores why users and IT administrators must treat all Patch Tuesday updates as critical – even those rated "important" or "moderate" on the surface.

What's Next? Future Attack Vectors

With each Patch Tuesday, researchers inevitably reverse-engineer the fixes to understand the vulnerable logic. For CVE-2026-42979, expect detailed technical write-ups and proof-of-concept exploits to appear within weeks. Microsoft has already added detection logic to Microsoft Defender for Endpoint, flagging behaviors consistent with exploitation attempts (e.g., rapid NtSetContextThread calls targeting the push notification process).

Looking ahead, Microsoft is investing in safer design patterns for services, including the gradual adoption of Rust in kernel-adjacent components and more robust sandboxed IPC mechanisms. However, such transitions take years. In the interim, tools like Attack Surface Reduction (ASR) rules and Credential Guard can limit the damage if an exploit succeeds. For instance, the ASR rule "Block process creations originating from PSExec and WMI commands" can prevent lateral movement even after SYSTEM access is gained.

Organizations should also consider implementing a robust patch management strategy that goes beyond simply installing updates. Regular vulnerability scanning, segmented network architectures, and zero-trust principles ensure that a local privilege escalation does not immediately translate to a domain-wide breach.

In the grander scheme, this CVE is another data point in the ongoing battle between offensive and defensive security. For Windows enthusiasts and administrators, the message is clear: June 2026 Patch Tuesday is not one to postpone. Attackers are quick to weaponize such flaws, and the window between disclosure and active exploitation shrinks every year.

WindowsNews.ai will continue to monitor for any in-the-wild exploitation and will provide updates if Microsoft revises the advisory or assigns a higher severity. For now, head to Settings > Windows Update and install the latest patches immediately.