Microsoft’s June 2026 Patch Tuesday landed on June 9 with fixes for 49 unique CVEs, but one medium-severity vulnerability in particular slipped quietly into the advisory: CVE-2026-42969. It’s an information disclosure bug in the Windows Push Notifications service that could let an authenticated local attacker read parts of memory from other processes—no system privileges required. The flaw affects every supported version of Windows 10, Windows 11, and Windows Server, making it a broad but low-stakes threat in isolation. Yet chained with any code-execution vulnerability, it becomes a potent tool for lateral movement and data theft.

The disclosure follows a pattern Microsoft has established in recent years: push notification subsystems, deeply integrated into the OS for real-time app alerts, have expanded their attack surface. CVE-2026-42969 isn’t wormable or exploitable over the network, but its local nature doesn’t erase the risk in shared computing environments, enterprise workstations, or virtual desktop infrastructure. For IT admins staring at a pile of critical remote code execution bugs, it’s tempting to deprioritize a medium-severity info leak. That would be a mistake—defense-in-depth demands patching these seemingly minor leaks before they’re weaponized.

What Windows Push Notifications Actually Does

Windows Push Notifications (WPN) is the plumbing behind toast notifications, lock screen snippets, and background app alerts. Introduced in Windows 8 and revamped for Windows 10, it runs as a user-mode service (WpnService) inside shared svchost.exe processes, communicating with apps via the Windows Notification Platform. When an application registers for push notifications—say, Outlook for new mail or Slack for a message—WPN maintains persistent network connections to the Windows Push Notification Services (WNS) cloud relay and delivers payloads to the app’s registered handler.

That middleman role means WPN handles data on behalf of other processes, and it must carefully marshal that data across security boundaries. If the service mishandles memory allocations, fails to clear sensitive data after delivery, or incorrectly maps shared memory regions, an attacker sitting in the same user session could craft a way to peek at leftover fragments. CVE-2026-42969 falls into this category: an insufficiently cleared buffer or an over-read vulnerability within WPN’s inter-process communication (IPC) mechanism.

Microsoft’s advisory is deliberately terse: “An information disclosure vulnerability exists in Windows Push Notifications when it improperly handles objects in memory. An attacker who successfully exploited this vulnerability could read the content of memory from a privileged process.” The usual caveat applies—the attacker must already have code execution on the target machine. That lowers the severity in Microsoft’s scoring system, but practical exploitation scenarios are not hard to imagine. Malware already running with low-integrity rights could use the bug to fish for authentication tokens, encryption keys, or personally identifiable information flowing through notification payloads.

Affected Platforms and Patch Details

Microsoft lists the following products as impacted, with updates automatically distributed via Windows Update, WSUS, or the Microsoft Update Catalog:

Product Version(s) Build Requirement Update KB
Windows 10 21H2, 22H2 All editions KB5039210
Windows 11 21H2, 22H2, 23H2, 24H2 All editions KB5039211 (general release)
Windows Server 2019 All server installations Desktop Experience, Server Core KB5039212
Windows Server 2022 All server installations Desktop Experience, Server Core KB5039213
Windows Server 2025 All server installations Desktop Experience, Server Core KB5039214

Windows 10 Enterprise LTSC 2019 and Windows Server 2016 are not affected—the vulnerable code path was introduced in later versions of the push notification stack. The fix arrives in the monthly cumulative update and does not require any standalone out-of-band patch. Because it’s a local vulnerability, Microsoft’s exploitability assessment assigns it an “Exploitation Less Likely” rating, though that classification has historically proven unreliable when attackers chain bugs together.

The update corrects the memory handling routine by zeroing out notification buffers after delivery and tightening bounds checks in the shared memory mapping. There are no configuration workarounds or mitigations beyond applying the patch, and Microsoft does not recommend disabling the Push Notifications service because doing so breaks fundamental user-facing features—including Microsoft Store app updates, live tiles, and many line-of-business applications.

Severity and Scoring Nuances

CVE-2026-42969 carries a CVSS v3.1 base score of 5.5, placing it solidly in the medium-severity bucket. The vector string (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) tells the story: local attack vector, low attack complexity, low privileges required, no user interaction, and a high confidentiality impact—but no impact on integrity or availability. An attacker already on the box can read otherwise inaccessible memory without raising any alerts.

In isolation, a 5.5 score rarely triggers panic, but it’s worth noting that many post-exploitation frameworks hunt for exactly this kind of primitive. An attacker who breaches a perimeter with a phishing email might land with limited user rights. If they can then combine a local info leak like this with a privilege escalation zero-day, they can grab hashed credentials from the Local Security Authority Subsystem Service (LSASS) or scoop up plaintext secrets from notification payloads. The practical damage ceiling rises considerably.

No active exploitation was observed at the time of disclosure, and the vulnerability was reported privately through Microsoft’s bug bounty program by a researcher who will likely publish technical details once the patch has saturated the install base. That window of immunity is shrinking: Proof-of-concept code usually surfaces within days of a Patch Tuesday, and Microsoft’s own Exploit Prediction Scoring System (EPSS) gave this CVE a 0.85% probability of exploitation in the next 30 days—low, but not negligible.

How an Attack Would Unfold

To exploit CVE-2026-42969, an attacker must first run arbitrary code on the victim’s machine. That code—whether a macro-laden document, a malicious installer, or a trojanized utility—calls the vulnerable Windows Push Notifications API in a way that triggers the memory disclosure. The exact technique likely involves opening a handle to the WPN service’s shared memory section and repeatedly reading memory at an offset that exceeds the allocated buffer. Because the service doesn’t properly sanitize the data it writes to that region, remnants of other applications’ notification content remain visible.

What kind of data is exposed? That depends on which apps happened to receive a push notification recently. For a standard corporate device, that could include:

  • Email subjects and snippets from Outlook or Mail
  • Chat message previews from Microsoft Teams or Slack
  • Authentication codes from two-factor authentication apps that use notifications (e.g., Microsoft Authenticator)
  • Calendar reminders containing meeting links and passcodes
  • Any other custom notification data that an ISV pushes through WNS

Each piece alone might be trivial, but aggregated over time, a local attacker could reconstruct sensitive conversations, harvest account recovery codes, or map a user’s daily routine. In regulated industries, this sort of inadvertent data exposure violates compliance requirements even if no malicious actor actively abuses it.

The Patch Tuesday Landscape in June 2026

CVE-2026-42969 was one of 49 vulnerabilities addressed in the June 2026 update. The list included two critical remote code execution flaws in the Windows TCP/IP stack (both scored 9.8), a zero-day elevation-of-privilege bug in the Windows Kernel that had been actively exploited in the wild, and several memory corruption issues in Microsoft Edge. Against that backdrop, a medium-severity local info leak can seem like background noise. But security hygiene demands that every CVE in the cumulative update be installed—skipping KB5039211 on Windows 11 means forgoing fixes for all patched components, including the actively exploited kernel flaw.

Enterprises will receive the patches through their normal update channels. Home users should see the June cumulative update offered automatically, with installation likely scheduled for the next reboot outside active hours. Windows Update for Business rings will stagger the deployment according to established policies. No additional configuration changes are needed, and the update does not introduce any known issues affecting push notification delivery after installation.

Broader Implications for Windows Push Notification Security

This isn’t the first rodeo for push notification vulnerabilities. In 2021, a similar local info leak (CVE-2021-31956) involved the Windows Notification Host binary, and before that, CVE-2019-1454 allowed an attacker to elevate privileges through the push notification service. Each time, Microsoft patched the specific bug, but the broader attack surface—a complex, cross-privilege IPC mechanism exposed to every logged-in user—remains inherently risky.

The push notification architecture spans user and system contexts: some notifications require SYSTEM-level privileges to display over secure desktop, yet the content originates from user-mode apps. That boundary crossing is where mistakes happen, and Microsoft has been gradually moving notification parsing into more constrained sandboxes. Windows 11 24H2 introduced a hardened “Notification Platform Isolated” service account that strips many unnecessary privileges, but not all editions run that component by default.

For developers who build applications relying on WNS, this CVE serves as a reminder to avoid transmitting truly sensitive data through notification channels. Authentication tokens, full credit card numbers, or personally identifiable information should never appear in a push payload that the OS might temporarily store in plaintext memory. End-to-end encryption of notification content (using the app’s own encryption before passing data to WNS) limits exposure even when the local service leaks memory.

Immediate Steps for IT Administrators

  1. Audit current patch status. Verify that the June 2026 cumulative update is deployed to all in-scope Windows endpoints. Use Microsoft Intune, Configuration Manager, or your RMM tool to confirm build numbers match the required minimums.
  2. Check for blocking policies. Some organizations disable push notifications via Group Policy (Computer Configuration > Administrative Templates > Start Menu and Taskbar > Notifications) to reduce distractions. If that policy is already in force, the vulnerable service may still be running—but the exposure surface shrinks because no user-mode apps receive WNS payloads. However, do not rely on this as a mitigation; it’s a poor substitute for patching.
  3. Enable memory isolation features. On Windows 11 24H2 and later, ensure “Notification Platform Isolated” is running (you can check with sc query NotifyIsolated). This optional component isolates notification handling from the main push service, limiting the impact of future similar vulnerabilities.
  4. Review incident response playbooks. Incorporate local info leaks into your threat models. If your SIEM detects a process making unusual IPC requests to the WPN service (Event IDs 7031 or 1000 from Service Control Manager with WpnService), it might indicate active exploitation.
  5. Plan for the next disclosure. Formalize a policy that treats medium-severity vulnerabilities with the same urgency as critical ones when they involve memory disclosure, since they’re pivotal in chained attacks.

Conclusion

CVE-2026-42969 is a textbook example of a vulnerability that doesn’t grab headlines but gnaws at your security posture from the inside. Windows Push Notifications runs on nearly every modern Windows device, silently shuttling data between the cloud and your apps, and like any messenger, it becomes a target for eavesdropping. The June 2026 patch eliminates the direct risk, though the structural attack surface remains an architecture problem that will likely generate similar CVEs in the future.

For home users, the update will install itself. For enterprises, the calculus is straightforward: a 5.5 CVSS score alone rarely prompts an emergency change freeze, but the cumulative update containing the fix also patches actively exploited zero-days. Deploy it. Soon. And keep an eye on that push notification service—it’s more powerful than it looks.