CVE-2026-42912

Analyzed Analyzed - Analysis Complete

Windows Telephony Service Race Condition Privilege Escalation

Publication date: 2026-06-09

Last updated on: 2026-06-11

Assigner: Microsoft Corporation

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-11

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-28

NVD

CVE-2026-42912

EUVD

EUVD-2026-35725

Affected Vendors & Products

Vendor	Product	Version / Range
microsoft	windows_server_2012	r2
microsoft	windows_server_2012	*
microsoft	windows_10_1607	to 10.0.14393.9234 (exc)
microsoft	windows_10_1607	to 10.0.14393.9234 (exc)
microsoft	windows_10_1809	to 10.0.17763.8880 (exc)
microsoft	windows_10_1809	to 10.0.17763.8880 (exc)
microsoft	windows_10_21h2	to 10.0.19044.7417 (exc)
microsoft	windows_10_21h2	to 10.0.19044.7417 (exc)
microsoft	windows_10_21h2	to 10.0.19044.7417 (exc)
microsoft	windows_10_22h2	to 10.0.19045.7417 (exc)
microsoft	windows_10_22h2	to 10.0.19045.7417 (exc)
microsoft	windows_10_22h2	to 10.0.19045.7417 (exc)
microsoft	windows_11_23h2	to 10.0.22631.7219 (exc)
microsoft	windows_11_23h2	to 10.0.22631.7219 (exc)
microsoft	windows_11_24h2	to 10.0.26100.8655 (exc)
microsoft	windows_11_24h2	to 10.0.26100.8655 (exc)
microsoft	windows_11_25h2	to 10.0.26200.8655 (exc)
microsoft	windows_11_25h2	to 10.0.26200.8655 (exc)
microsoft	windows_11_26h1	to 10.0.28000.2269 (exc)
microsoft	windows_11_26h1	to 10.0.28000.2269 (exc)
microsoft	windows_server_2016	to 10.0.14393.9234 (exc)
microsoft	windows_server_2019	to 10.0.17763.8880 (exc)
microsoft	windows_server_2022	to 10.0.20348.5256 (exc)
microsoft	windows_server_2025	to 10.0.26100.32995 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-362	The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Attack-Flow Graph

Mitigation Strategies

To mitigate this vulnerability, it is important to apply the security updates provided by Microsoft for the Windows Telephony Service as soon as they become available.

Since the vulnerability allows local privilege escalation via a race condition, limiting local user access and ensuring that only authorized users have access to the affected service can help reduce risk until patches are applied.

Executive Summary

This vulnerability is a race condition in the Windows Telephony Service where concurrent execution uses a shared resource without proper synchronization. This flaw allows an authorized attacker to elevate their privileges locally on the affected system.

Impact Analysis

The vulnerability can allow an authorized attacker to elevate their privileges on the local system. This means the attacker could gain higher-level permissions than intended, potentially leading to unauthorized access to sensitive data, system modifications, or further exploitation.

Compliance Impact

The vulnerability allows an authorized attacker to elevate privileges locally through a race condition in the Windows Telephony Service.

Such elevation of privilege vulnerabilities can potentially lead to unauthorized access or modification of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Hi! I’m here to help you understand CVE-2026-42912. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70