cve 2026 42991

CVE-2026-42991 is a Microsoft-confirmed Windows Push Notifications elevation-of-privilege vulnerability disclosed on June 9, 2026. It affects supported Windows client and server releases, allowing a local authenticated attacker to gain higher privileges through a race-condition-style flaw. This vulnerability highlights how a background Windows service that administrators often overlook can become part of the privilege-escalation attack surface. In a Patch Tuesday cycle crowded with remote-code-execution bugs, CVE-2026-42991 represents the kind of local flaw that becomes critical after an attacker gains an initial foothold. Discussions on WindowsForum.com cover the technical details, affected versions, and mitigation strategies for this vulnerability.