Microsoft’s June 2026 Patch Tuesday brought a critical security fix for a local privilege escalation vulnerability in the Windows Push Notifications service. Tracked as CVE-2026-42991, the flaw received a high-severity rating and affects all supported versions of Windows client and server operating systems. The vulnerability is a classic race condition that an authenticated attacker with low privileges can exploit to gain SYSTEM-level access on a vulnerable machine.

The Windows Push Notifications service (WpnService) runs under the SYSTEM account and handles toast, tile, badge, and raw notifications from both Windows apps and cloud services. Because it operates with elevated privileges, any bug that allows code execution in its context becomes a powerful privilege escalation vector. CVE-2026-42991 is precisely that: a time-of-check to time-of-use (TOCTOU) flaw that lets a local user manipulate a shared resource in a tightly timed window, tricking the service into performing an unauthorized operation with SYSTEM rights.

How the Attack Works

Successful exploitation requires the attacker to already have a foothold on the target system—such as through a compromised standard user account, a malicious insider, or malware initially running with limited privileges. The attacker crafts a specially designed application that races against the push notification service during its processing of certain notification payloads. By repeatedly triggering and interfering with a vulnerable code path, the attacker can eventually cause the service to write an arbitrary file, load a malicious DLL, or execute commands outside its normal sandbox.

Microsoft’s advisory categorizes the attack complexity as “high,” meaning reliable exploitation is not trivial. The race condition demands precise timing, and the attacker may need hundreds or thousands of attempts. However, once successful, the impact is total: complete compromise of confidentiality, integrity, and availability on the local system. From there, the attacker can install persistent backdoors, steal credentials, move laterally across the network, or deploy ransomware.

Affected Products and Mitigation

CVE-2026-42991 affects a broad swath of Windows releases. According to the advisory, the following client and server versions are impacted:

  • Windows 11 (all editions, including 24H2 and later)
  • Windows 10 (versions 22H2 and supported LTSC releases)
  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016

Older, out-of-support systems like Windows 7 and Windows Server 2008 are not listed, but organizations still running them remain at heightened risk from unpatched vulnerabilities in general.

Microsoft addressed the flaw in its June 9, 2026 security update. The patch corrects the race condition by introducing proper synchronization mechanisms, ensuring that the push notification service correctly validates resource states before acting on them. The update is distributed via Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. No workarounds are listed, and disabling the push notification service is not a viable mitigation for most environments, as it would break core functionality like action center alerts, app notifications, and connected device experiences.

Technical Deep-Dive

While Microsoft has not published a full technical write-up—as is common to protect users while patches are deployed—researchers familiar with the component point to the interplay between the Push Notification Platform (PNP) user-mode client, the WpnService, and the notification delivery pipeline. When an app registers for push notifications, the service maintains a stateful connection and periodically writes data to privileged registry hives or file locations. A race condition may occur when a notification payload is being processed while the service simultaneously reads or writes a shared configuration file. An attacker who can rapidly modify that file or create a junction point at the exact moment of access can redirect the write to an arbitrary location, such as a startup folder or a DLL search-order path.

This class of vulnerability is not new—Windows has seen similar TOCTOU bugs in services like Task Scheduler, Print Spooler, and even earlier in push notifications (CVE-2021-31957, patched in 2021). The recurrence underscores the difficulty of eliminating race conditions in systems-level code, especially in services that must handle asynchronous events from both local and network sources.

What You Should Do

Immediate patching is the only recommended action. Given the high severity and local exploitability, this vulnerability should be prioritized for all endpoints where unprivileged users have interactive access—workstations, developer VMs, jump servers, and terminal servers. Security teams should:

  • Deploy the June 2026 cumulative update to all affected Windows systems without delay.
  • Verify that the update has been installed successfully (check for known build numbers or KB article associated with the patch).
  • Monitor for unexpected privileged file writes or suspicious DLL loads from user-writable directories as indicators of attempted exploitation.
  • Review and enforce the principle of least privilege, ensuring that standard user accounts are not used for daily administration tasks.

For organizations with stringent patch management cycles, the high attack complexity might seem reassuring, but history shows that determined attackers will quickly develop reliable exploits once a patch is reverse-engineered. Indeed, proof-of-concept code often appears within days of a Patch Tuesday disclosure.

Community Reaction and the Bigger Picture

The security community’s response to CVE-2026-42991 has been one of caution but not panic. On forums and social media, system administrators are grappling with the recurring challenge of patching mid-week, often racing to test updates before the weekend. Many expressed relief that the vulnerability is not wormable or remotely exploitable without authentication, but they warned that it would be a valuable component in chained attacks—combined with an RCE bug, for example, to go from guest to SYSTEM in a single exploit chain.

Some security researchers noted the irony that push notifications, a feature primarily associated with user experience, can become a conduit for severe security flaws. As the Windows notification system grows more networked and feature-rich, its attack surface expands in tandem. Microsoft’s advisory does not mention whether this bug originated internally or was reported by an external researcher; the acknowledgment page is conspicuously empty.

Looking Ahead

CVE-2026-42991 serves as a stark reminder that even mature operating systems harbor subtle race conditions with devastating potential. The fix will likely spur additional scrutiny of the push notification component, leading to further hardening in subsequent releases. For enterprises, the episode reinforces the value of a robust patch management program and the wisdom of treating every Patch Tuesday as a high-priority event, even when disclosed bugs seem difficult to exploit.

Until the next Patch Tuesday, keeping systems updated and monitoring for suspicious low-privilege activity remains the best defense.