Microsoft has patched a high-severity local privilege escalation vulnerability in the Windows Push Notifications service, tracked as CVE-2026-42977. Disclosed on June 9, 2026, as part of the company’s monthly Patch Tuesday rollout, the flaw affects all supported editions of Windows 10, Windows 11, and Windows Server. An attacker who successfully exploits this vulnerability could elevate their privileges from a limited user account to full SYSTEM access, compromising confidentiality, integrity, and availability of the entire Windows system.

How the Vulnerability Works

Windows Push Notifications is a core system service responsible for delivering toast, tile, badge, and raw notifications from apps and cloud services to users. It runs with elevated privileges to interface with the lock screen, action center, and application frameworks. According to the advisory, CVE-2026-42977 stems from an error in how the service validates the permission level of calling processes when performing certain operations. A locally authenticated attacker could craft a special application or script that invokes a vulnerable API or manipulates an inter-process communication (IPC) channel to force the service to execute arbitrary code as NT AUTHORITY\SYSTEM.

While technical specifics were embargoed at the time of disclosure, typical privilege escalation flaws in notification subsystems involve insufficient access controls on shared memory objects, improper handling of impersonation tokens, or a failure to validate message payloads. Because push notifications are deeply integrated into the Windows shell and connect to network endpoints, the risk footprint is broader than many assume. The service is always active on modern Windows installations, making it an attractive target for post-breach attacks.

  • Attack Vector: Local (L)
  • Attack Complexity: Low (L)
  • Privileges Required: Low (L)
  • User Interaction: None (N)
  • Scope: Unchanged (U)
  • Confidentiality Impact: High (H)
  • Integrity Impact: High (H)
  • Availability Impact: High (H)

These CVSS v3.1 metrics anchor the 7.8 base score that earned CVE-2026-42977 its “Important” severity rating—Microsoft’s equivalent of “High” in the CVSS scale. Though local access is required, that is commonly achieved via social engineering, stolen credentials, or another initial compromise vector. Once SYSTEM privileges are obtained, an attacker can disable security tools, install persistent malware, steal credentials, or move laterally across a network.

Affected Configurations

Every supported release of Windows 10, Windows 11, and Windows Server as of June 2026 is vulnerable. Microsoft did not publish an exhaustive build list, but the following are presumed affected based on the lifecycle policies in effect at the time:

Product Supported Editions
Windows 10 22H2 (Enterprise, Education, IoT Enterprise)
Windows 11 24H2, 23H2 (Home, Pro, Enterprise, Education)
Windows Server 2022 Standard, Datacenter, Azure Stack HCI
Windows Server 2025 Standard, Datacenter

The advisory emphasizes that both x64 and Arm64 architectures are impacted. Windows 10 Enterprise 2015 LTSB and 2016 LTSB are not listed as affected, likely because they ship with earlier, non-vulnerable versions of the push notification stack.

The June 2026 Patch Tuesday Context

June’s security update batch addressed 87 unique CVEs, with CVE-2026-42977 being one of five privilege escalation vulnerabilities in various Windows services. Other notable fixes included a zero-day for the Windows Print Spooler (CVE-2026-42968) and a critical remote code execution bug in Microsoft Edge (CVE-2026-42973). The push notification fix arrived via the monthly cumulative updates for Windows 10 (KB5039212) and Windows 11 (KB5039217), as well as the security-only update bundles. Windows Server administrators received the patch through KB5039335 (Server 2022) and KB5039340 (Server 2025).

Microsoft recommends all users accept the patches immediately through Windows Update, WSUS, or the Microsoft Update Catalog. The updates are cumulative, meaning they include the fix for CVE-2026-42977 along with all previously released security improvements. For environments that delay full rollouts, it is possible to apply just the security-only update, though doing so will skip quality and feature improvements that can stabilize the push notification service.

Mitigations and Workarounds

No practical workaround exists for this vulnerability short of disabling the Windows Push Notifications service entirely, which is not a viable option for most desktops. Stopping the service breaks toast notifications, app updates, Microsoft Store functionality, and some Microsoft 365 alerting features. Microsoft’s advisory does not suggest any registry-based mitigation. The recommended action is to install the update.

For organizations that must maintain granular control until patching is complete, security teams can consider these compensating measures:

  • Monitor process creation: Sysmon or Windows Event Log ID 4688 can reveal unexpected processes spawning from the notification service binary (WpnService.dll). Look for child processes launched with SYSTEM integrity that have no history.
  • Restrict local access: Enforce strict endpoint authentication and access policies to limit who can interactively log on to critical servers.
  • Enable Attack Surface Reduction (ASR) rules: Rules such as “Block process creations originating from PSExec and WMI commands” may obstruct common techniques used after initial privilege escalation.
  • Harden service permissions: Although not officially recommended, advanced administrators can use sc.exe sdshow and sc.exe sdset to tighten the service’s discretionary access control list (DACL), preventing non-administrators from interacting with it. This may cause unintended side effects on user-mode notification workflows.

These steps do not close the vulnerability; they only raise the bar for an attacker who has already gained low-privilege access.

Exploitation Outlook

At the time of the advisory’s release, Microsoft’s Exploitability Index rated CVE-2026-42977 as “Exploitation More Likely.” No in-the-wild attacks were confirmed, but the combination of low attack complexity and the pivotal role of the push notification service makes future exploitation probable. Proof-of-concept code often surfaces within weeks for such vulnerabilities, especially if the patch can be reverse-engineered through binary comparison.

Historically, local privilege escalation bugs in Windows services are weaponized quickly by ransomware affiliates and advanced persistent threat (APT) groups. For instance, CVE-2022-21882 (Win32k) and CVE-2023-28252 (Common Log File System) were adopted in post-compromise toolkits within days of disclosure. CVE-2026-42977 fits this pattern because it offers a reliable, low-noise method to jump from limited user to kernel-level authority.

Detection Guidance

Microsoft Defender for Endpoint and other endpoint detection and response (EDR) tools received detection logic updates alongside the patch. Security teams should verify that their detection engine is using intelligence version 1.425.1000 or later, which includes behavioral signatures for attempts to exploit CVE-2026-42977. Microsoft 365 Defender customers can hunt for suspicious activity using these Kusto queries:

// Look for WpnService spawning uncommon child processes
DeviceProcessEvents
| where InitiatingProcessFileName =~ "wpnservice.exe"
| where ProcessCommandLine !contains "svchost"
| project Timestamp, DeviceName, ProcessId, ProcessCommandLine, AccountDomain, AccountName

// Identify token manipulation attempts targeting the notification service
DeviceEvents
| where ActionType == "OpenProcessApiCall" and FileName =~ "wpnservice.exe"
| where AdditionalFields has "TokenElevationType"
| summarize count() by DeviceName, AccountName, bin(Timestamp, 1h)

Additional telemetry can be gathered from Windows Event Log for Security (ID 4672 – Special Logon) when SYSTEM privileges are assigned to an unusual user account. Correlating these logs with process creation events often pinpoints privilege escalation attacks.

What This Means for IT Administrators

For routine patch management, CVE-2026-42977 does not require extraordinary measures beyond the standard monthly update cycle. However, because it affects a component that is always running and rarely scrutinized, it serves as a reminder that not all high-impact vulnerabilities live in internet-facing services. Local privilege escalation bugs are the backbone of lateral movement and credential theft chains.

Administrators should:

  • Prioritize this update for workstations that are shared, used by multiple users, or accessible via guest accounts.
  • Validate that the push notification service is up to date by checking the file version of C:\\Windows\\System32\\WpnService.dll. Post-patch, the version should be 10.0.19041.5532 or higher for Windows 10, and 10.0.22621.4111 or higher for Windows 11.
  • Reboot systems promptly after installation—the notification service cannot be restarted without a full system restart, and the patch will not be fully effective until the service reloads.

The update does not introduce any known regressions with respect to notification delivery, the Windows Action Center, or Microsoft Teams integration. Testing in Microsoft’s Release Health Dashboard indicated normal functionality across all supported configurations.

The Broader Push Notification Landscape

Push notification mechanisms have grown increasingly complex as they expand beyond simple alerts to powering real-time communication, watchface updates, fitness tracking sync, and cloud-to-device command channels. This broad attack surface is not unique to Windows—similar privilege escalation flaws have been unearthed in macOS’s usernoted daemon and Android’s NotificationManagerService. The underlying challenge is that notification services must bridge high-privilege system contexts with user-installed apps that operate at low integrity. Enforcing a perfect security barrier across that boundary is difficult.

Microsoft’s own push notification infrastructure, which underpins Windows Push Notification Services (WNS) used by third‑party apps, is not directly implicated in this vulnerability. CVE-2026-42977 exists solely in the local service that receives and dispatches notifications, not the cloud relay. Therefore, disconnected or air‑gapped systems that still process local notifications are equally at risk.

Looking Ahead

With the June 2026 updates deployed, Microsoft’s next Patch Tuesday will fall on July 14, 2026. Ahead of that date, the security community will be watching for any public exploit code or active attack reports for CVE-2026-42977. Researchers who often publish technical write‑ups after a patch cools off may provide deeper insight into the root cause, helping defenders understand potential chaining opportunities.

In the interim, the best defense remains swift, consistent patching. The Windows Push Notifications service is not something users interact with directly, which makes it an easy target to overlook. But as this vulnerability demonstrates, even the quiet background hum of the operating system can bring a system to its knees if left unpatched.