On June 9, 2026, Microsoft released its monthly Patch Tuesday updates, tackling CVE-2026-42836—an elevation-of-privilege vulnerability in the Windows Function Discovery Service. The flaw, rated Important, resides in the fdwsd.dll module and allows a locally authenticated attacker with low privileges to exploit a race condition, gaining NT AUTHORITY\SYSTEM access. This is not just another routine patch; it underscores how even background services can open doors to full system compromise if left unaddressed.

Technical Breakdown of the Vulnerability

The Windows Function Discovery Service provides a framework for devices and applications to discover network-connected resources, such as printers and scanners, using protocols like Web Services on Devices (WSD). The vulnerable component, fdwsd.dll, handles core discovery and publication tasks. During certain operations, a classic time-of-check to time-of-use (TOCTOU) race condition occurs. The code validates a resource (e.g., a file path or registry key) with proper permissions, but a time gap before the resource is accessed allows an attacker with local code execution to swap the intended resource with a malicious symlink or junction. Because the Function Discovery Service runs with SYSTEM privileges, the attacker’s payload is then executed in that high-integrity context.

Exploitation requires the attacker to have already gained a foothold on the target machine—through phishing, brute force, an unpatched remote flaw, or physical access. Once authenticated as even a standard user, they can run a crafted executable that attempts to win the race condition. The timing window is tight, often requiring hundreds or thousands of attempts, but modern multi-core processors and well‑crafted multi-threaded exploits make reliable elevation feasible within minutes.

While Microsoft has not released a full CVSS vector at the time of disclosure, the Important rating typically corresponds to a score between 7.0 and 8.9. Factors such as low attack complexity and no user interaction requirement suggest a base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

Impact: From Limited Access to Full Control

Successful exploitation grants the attacker SYSTEM privileges—the highest level of access on a Windows machine. This permits disabling or bypassing security controls, installing persistent malware drivers, stealing credentials from LSASS memory, and tampering with system files. On a standalone workstation, it exposes all local user data, including browser passwords and cached email tokens. In enterprise environments, an attacker can use this elevation as a stepping stone to move laterally across the domain, extract the Active Directory database, and maintain long-term access.

The Function Discovery Service is often overlooked in hardening guides, yet it runs with SYSTEM rights by default on many Windows 10, 11, and Server installations. This makes CVE-2026-42836 especially dangerous in segmented networks where a low-privileged user might be the only entry point for an attacker coming from a guest VLAN or a compromised contractor endpoint.

Affected Windows Versions

Microsoft has not published an exhaustive list, but the fdwsd.dll file is present in all supported editions: Windows 10 (version 1507 through the latest 22H2), Windows 11 (21H2, 22H2, 23H2, and 24H2), Windows Server 2016, 2019, 2022, and 2025. The service is enabled by default in many configurations, though it can be disabled. As a result, virtually every unpatched Windows system is at risk.

Organizations that rely on network device discovery (e.g., for shared printers or media streaming) are particularly exposed. Even if the service is not actively used, it represents an unnecessary attack surface until the patch is applied.

Race Condition Exploitation in Practice

Race condition elevation bugs exploit multi-threading to manipulate the order of operations. A common technique involves two threads: one repeatedly calls a privileged function that uses a predictable temporary file name, while the other rapidly replaces that file with a hardlink or symlink to a protected system file before the function writes to it. In CVE-2026-42836, the fdwsd.dll code likely handles discovery messages or resource publication entries that involve temporary storage. By redirecting writes or reads to attacker-controlled locations, the exploit can force the service to load a malicious DLL or execute code sent by the attacker.

Because the race is nondeterministic, the exploit must loop the attack code dozens or thousands of times. Tools like Process Monitor have historically aided researchers in identifying these gaps, and weaponized exploit kits often include heuristics to shorten the time to success by aligning thread priorities and using primitives such as oplocks on client-side servers.

Mitigation and Patching

Microsoft has fixed the race condition in the June 2026 cumulative updates for all affected Windows versions. The update can be deployed via Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog. For systems where automatic updates are enabled, the patch will install without user interaction.

As an immediate workaround, if the Function Discovery Service is not required, administrators can disable the two related services:
- Function Discovery Provider Host (fdPHost)
- Function Discovery Resource Publication (FDResPub)

To disable them, open Services.msc, set both services to Disabled, and stop them if running. Note that this may break functionality such as network printer discovery, device connectivity in the “Network” folder, and some features of Windows Media Player. The workaround should only be used until the patch can be applied, not as a permanent solution.

Detection and Response Guidance

Race condition exploits are notoriously stealthy because they often involve benign-looking file operations and do not inject code into remote processes. However, security teams can look for:
- Unexpected child processes spawned from svchost.exe hosting the Function Discovery services (e.g., cmd.exe, powershell.exe, or mshta.exe).
- Rapid creation and deletion of files in the %TEMP% directory or in paths used by the service (C:\\Windows\\System32\\fdPHost.dll or fdwsd.dll).
- Error events (Event ID 7031 or 1000) in the System log indicating service crashes that may be due to failed exploit attempts.

Advanced endpoint detection (EDR) solutions may flag the exploitation pattern if they monitor for symlink races or TOCTOU conditions. Microsoft Defender for Endpoint, for instance, includes alerts for “Suspicious file system redirection” and “Potential elevation of privilege exploit.”

Additionally, enabling Windows Defender Credential Guard and attack surface reduction rules can make post-exploitation activity more difficult even if an attacker gains SYSTEM rights.

Historical Context: Not the First Race to SYSTEM

CVE-2026-42836 is the latest in a long line of Windows race-condition EoP vulnerabilities. Past examples include:

  • CVE-2023-36802 (Microsoft Streaming Service Proxy) – a similar race condition that allowed local attackers to elevate to SYSTEM.
  • CVE-2022-26923 (Active Directory) – exploited by malicious dll loading in the context of AD DS, leading to domain escalation.
  • CVE-2021-36934 (HiveNightmare) – an overly permissive SAM file registry access that, while not a classic race, showed how misconfigurations in high‑privilege services could be exploited.

Each of these vulnerabilities became integral to attacker toolkits because local privilege escalation is often the final step before achieving full domain compromise. Patch delays gave threat actors ample opportunity to scan for and exploit unpatched systems.

Patching Priority and Enterprise Recommendations

Security teams should treat CVE-2026-42836 with high priority, especially on multi-user systems such as Remote Desktop Servers, Citrix hosts, and shared workstations. The attack vector is local, which somewhat limits the initial attack surface, but the presence of this vulnerability on a system where an unprivileged user can execute code makes it a critical link in the kill chain.

Action items for IT administrators:
1. Inventory all Windows systems to determine which ones have the Function Discovery Service enabled and which do not yet have the June 2026 CU.
2. Deploy the patch through standard change management processes, prioritizing high‑risk assets.
3. Test the patch on a representative sample to ensure compatibility with LOB applications that may depend on device discovery.
4. Audit service configurations: if the Function Discovery services are not needed, disable them via Group Policy (Computer Configuration -> Windows Settings -> Security Settings -> System Services).
5. Monitor SIEM and EDR alerts for any post‑patching exploit attempts, as threat actors often reverse‑engineer patches to develop exploits within days.

Conclusion

CVE-2026-42836 serves as a stark reminder that local privilege escalation flaws remain a vital tool for attackers. By turning a low‑privileged foothold into complete control, these vulnerabilities can derail even the best perimeter defenses. The June 2026 Patch Tuesday fixes this race condition, but history shows that organizations that delay patching pay the price. For home users, enabling automatic updates is sufficient; for enterprises, immediate deployment and layered defenses are the only sensible response.