Microsoft dropped its June 2026 Patch Tuesday updates on June 9, addressing a total of 67 vulnerabilities across the Windows ecosystem. Among them, CVE-2026-42980 stands out as a local elevation-of-privilege (EoP) flaw in the NT OS Kernel that earned a CVSS 3.1 base score of 7.8 and the dreaded label ‘Exploitation More Likely.’ System administrators running supported Windows client or server releases need to apply the patch immediately—this bug hands a local attacker the keys to the kernel.

The vulnerability at a glance

CVE-2026-42980 is a classic kernel-mode EoP. An authenticated user with limited rights can leverage a weakness in how the Windows NT Kernel handles certain objects to corrupt memory, escalate to SYSTEM, and execute arbitrary code with the highest integrity level. No user interaction is required beyond logging in; the attack vector is local, complexity is low, and privileges required are low. The resulting impact is total compromise of confidentiality, integrity, and availability.

The official advisory, published on Microsoft’s Security Response Center (MSRC), warns that successful exploitation could give an attacker complete control over the target machine. Because the kernel is the operating system’s core, a win here bypasses all user-mode defenses, including Endpoint Detection and Response (EDR) hooks, sandboxing, and application whitelisting. From a red-team perspective, this is a golden ticket.

Technical breakdown: what happens inside the kernel

While Microsoft has not disclosed the precise code path, typical NT Kernel EoP bugs arise from mishandled object lifecycle operations. A race condition in the I/O manager, a use-after-free in a device driver that ships with the OS, or an integer overflow in a system call handler could all lead to this class of flaw. Attackers usually craft a malicious executable that calls a sequence of APIs, triggering the kernel to reference memory that no longer belongs to a legitimate object or to misinterpret bounds checks. The result is a write-what-where primitive, opening the door to token stealing, process injection, or direct kernel code execution.

In CVE-2026-42980’s case, the vulnerability exists in the NT Kernel itself, not in a third-party driver. That means every Windows system—from Windows 10 22H2 to the latest Windows 11 24H2, and all currently supported server releases—ships with the risky component built in. The advisory does not call out any mitigating factors that would reduce the severity. No special configuration, no administrative trick can shield an unpatched box.

Affected products

Microsoft’s update guide lists the following supported platforms as vulnerable:

  • Windows 10 version 22H2 (all editions)
  • Windows 11 version 21H2
  • Windows 11 version 22H2
  • Windows 11 version 23H2
  • Windows 11 version 24H2
  • Windows Server 2022
  • Windows Server 2025
  • Windows Server, version 23H2 (Server Core installation)

Legacy systems like Windows 8.1 or Windows Server 2012 R2 are not mentioned, having fallen out of support. However, any machine still running those without extended security updates remains at potential risk if the same kernel code exists; assume exposure unless proven otherwise.

The CVSS score unpacked

The Common Vulnerability Scoring System (CVSS) 3.1 string for CVE-2026-42980 is likely: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This translates to:

  • Attack Vector (AV): Local—an attacker must already have a foothold on the machine (a user account, physical access, or remote code execution from another exploit).
  • Attack Complexity (AC): Low—no special conditions are required; the attack can be repeated reliably.
  • Privileges Required (PR): Low—the attacker needs only basic user privileges.
  • User Interaction (UI): None—the exploit runs without any user clicks or approvals.
  • Scope (S): Unchanged—the vulnerability does not affect resources beyond the component’s security scope.
  • Confidentiality (C), Integrity (I), Availability (A): All High—once kernel access is achieved, the attacker can read, modify, and delete any data, install persistent malware, or crash the system.

The resulting base score of 7.8 lands CVE-2026-42980 in the ‘Important’ severity category by Microsoft’s internal rating. However, the ‘Exploitation More Likely’ flag pushes the urgency far beyond what the 7.8 number alone suggests.

Exploitation more likely: what this means

Microsoft’s Exploitability Index gives three assessments: ‘Exploitation More Likely,’ ‘Exploitation Less Likely,’ or ‘Exploitation Detected.’ In this case, the vendor believes an exploit will be developed soon. The reasoning often stems from the nature of the bug. If the vulnerability is easily reproducible and the affected component is widely deployed, proof-of-concept code typically surfaces within days of the patch release. Security researchers reverse-engineer the update binaries, locate the fixed function, and craft a trigger. Attackers do the same.

This classification does not mean attacks are currently happening, but it is a glaring warning: don’t wait. For a local EoP paired with a remote code execution (RCE) bug, the combination becomes an instant system takeover. Recent history shows that chaining a public kernel EoP with a browser or Office RCE leads to mass exploitation within a single week.

The advisory does not report public disclosure or active exploitation at the time of release, but the landscape could change in hours.

What the June 2026 patch fixes

The cumulative update for Windows 11 24H2 (KB5039327) and the equivalent for other versions deliver a corrected kernel binary. Microsoft’s engineers rewrote the logic that mishandled the kernel object, presumably adding proper validation of buffer sizes or reference counts. The changes are tucked inside ntoskrnl.exe, the heart of the operating system. Because the kernel is a shared resource, a single patch protects the entire OS; no additional software updates are required for device drivers or applications, unless they too were adding risk.

The update is delivered through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. It requires a reboot. Enterprises should plan for the usual testing cycle—deploy to a staging group, verify critical line-of-business applications, then roll out broadly within the short timeframe that the Exploitability Index demands.

The bigger picture: kernel EoP in the threat landscape

Kernel elevation-of-privilege bugs have become prized assets in the cybercriminal economy. Initial access brokers (IABs) sell remote footholds into corporate networks; the next step is often a local EoP to gain SYSTEM rights, allowing credential dumping, lateral movement, and deployment of ransomware. Zero-day brokers pay top dollar for kernel exploits because they work silently against fully patched systems when weaponized before Patch Tuesday.

Over the past two years, Microsoft has patched dozens of similar kernel bugs. CVE-2025-28492 (a win32k EoP), CVE-2025-30114 (another NT Kernel flaw), and CVE-2026-11285 (a Secure Kernel bypass) all carried high CVSS scores and were exploited in the wild. The cadence suggests that the Windows kernel remains a rich attack surface, despite increased investments in memory safety and virtualization-based security.

A local EoP also poses a significant risk to cloud workloads. On Azure Virtual Machines or on-premises Hyper-V hosts, admin-to-host escapes often start with a guest kernel bug. While Hyper-V’s isolation should contain a guest kernel compromise, history shows that combining a kernel EoP with a hypervisor escape can lead to cross-tenant impact. For now, there is no evidence that CVE-2026-42980 involves a hypervisor component, but the mere presence of a high-severity kernel bug should elevate defense postures across all Windows installations.

Mitigation beyond patching

Applying the June 2026 security update is the only surefire way to eliminate the vulnerability. Microsoft’s advisory lists no workarounds or temporary mitigations. In the past, disabling certain features or removing specific privileges has sometimes helped; not this time.

Still, a defense-in-depth strategy can limit the blast radius while updates roll out:

  • Enforce the principle of least privilege. Remove local admin rights from standard user accounts. Many kernel EoP exploits require initial code execution under a limited user; if the attacker cannot run arbitrary binaries in the first place, the exploit chain stalls.
  • Use Windows Defender Application Control (WDAC) or AppLocker. Restricting which executables can run—by publisher, path, or hash—makes it harder for unknown malware to launch the exploit.
  • Activate Credential Guard and Kerberos Armoring. Even if an attacker gains SYSTEM, isolating LSASS in a virtualized environment protects against credential theft.
  • Segment privileged access workstations (PAW). IT admins should avoid browsing the web or opening email on machines that have privileged access to domain controllers. A separate, hardened machine for administrative tasks reduces the chance of a local EoP leading to domain dominance.
  • Monitor for suspicious kernel activity. Endpoint security products that leverage kernel-mode sensors may detect anomalous process creation under SYSTEM, such as unexpected instances of cmd.exe or powershell.exe spawning from services.

None of these measures replace patching, but they buy time and increase the cost for an attacker.

Action plan for IT teams

The timeline for a vulnerability tagged ‘Exploitation More Likely’ is unforgiving. Security operations centers (SOCs) should follow this sequence:

  1. Inventory exposed systems. Use vulnerability management tools (Qualys, Tenable, Rapid7, Microsoft Defender Vulnerability Management) to identify every machine running a vulnerable Windows version.
  2. Assess risk scores. Prioritize internet-facing servers and workstations used by high-value targets—executives, finance, HR, IT admins—as they are most likely to be targeted.
  3. Test the update. In a representative test environment, deploy KB5039327 (or the applicable KB) and verify compatibility with critical applications. Watch for performance regressions or driver conflicts. While kernel patches are generally stable, late-stage testing avoids unexpected outages.
  4. Deploy aggressively. Push the update to all production systems within 48 hours. Configure Windows Update for Business rings or Microsoft Endpoint Manager to expedite installation.
  5. Validate patch success. After deployment, scan for the absence of CVE-2026-42980. Some tools check the version of ntoskrnl.exe; for example, the patched file on Windows 11 24H2 should be 10.0.26100.1992 or higher.
  6. Hunt for prior exploitation. Search logs for signs of local EoP: unexpected privilege escalations, creation of suspicious services, error patterns in the Security event log. If a threat actor already used this bug before June 9, you may find traces.

The final word

CVE-2026-42980 is not the most hyped vulnerability of the month—there is no snazzy logo, no brandable name. But a local kernel EoP with an ‘Exploitation More Likely’ tag is exactly the kind of flaw that separates resilient networks from breached ones. Attackers have a knack for weaponizing these silently, often weeks before the public even understands the risk.

This bug is not theoretical. It is a concrete path from a phishing victim’s desktop to full domain admin. It deserves a slot at the top of your patching priority list. Reboot the servers overnight, push the updates through, and verify. The cost of inaction is a system completely owned by someone else.