CVE-2026-42900: Patch Windows App Store Privilege Flaw

Microsoft has fixed CVE-2026-42900, an 8.1-rated Windows App Store elevation-of-privilege vulnerability that could let an unauthorized attacker gain higher privileges through a network-based attack. The flaw affects supported Windows 10, Windows 11, and Windows Server releases, making July 14, 2026 security updates the required remediation rather than an optional Store-app refresh.
Detailed in Microsoft’s Security Update Guide and published as part of the July 2026 Patch Tuesday release, CVE-2026-42900 stems from concurrent access to a shared resource without proper synchronization—commonly called a race condition. Microsoft’s description says exploitation could occur over a network, an unusual and potentially more serious characteristic for a privilege-escalation vulnerability.
The vulnerability carries a CVSS 3.1 base score of 8.1 and is associated with CWE-362, covering race conditions, and CWE-416, covering use-after-free memory errors. Microsoft has confirmed the vulnerability’s existence, but the public advisory does not provide enough detail to reconstruct the affected App Store operation or build a reliable exploit from the description alone.

Cybersecurity graphic shows a Windows race-condition vulnerability and systems changing from exposed to patched.A Race Condition With a Network Path​

Race conditions occur when two or more operations access the same resource and the software’s security depends on which operation completes first. An attacker attempts to manipulate that timing window so the program uses data or permissions in a state its developers did not intend.
The CWE-416 classification adds a memory-safety dimension: a component may continue using an object after it has been released. If an attacker can influence what replaces that object in memory, the resulting behavior can range from a crash to execution within a more privileged process.
Microsoft’s wording is important because it describes the attacker as unauthorized and the attack path as network-accessible. That does not automatically mean any Internet user can compromise every Windows PC; network reachability, service exposure, configuration, and exploit complexity still determine practical risk. It does mean administrators should not dismiss CVE-2026-42900 as a conventional local privilege-escalation bug that only matters after an attacker has already signed in.
The advisory’s report-confidence metric is marked confirmed. In CVSS terminology, that indicates detailed reports exist, reproduction is possible, source code can verify the issue, or the vendor has confirmed the flaw. It does not mean exploit code is public, nor does it establish that attacks are occurring in the wild.
There is also no public technical walkthrough identifying the precise App Store service, API call, or memory sequence involved. That withholding is normal on Patch Tuesday, especially where a detailed explanation could sharply reduce the work required to turn a race condition into a functioning exploit.

The Fix Reaches Across Windows Generations​

CVE-2026-42900 is not confined to one Windows 11 feature update. The affected-product data covers Windows 10 releases still receiving applicable servicing, current Windows 11 versions, and multiple generations of Windows Server.
Affected client releases include:
  • Windows 10 Version 1607 systems running builds earlier than 14393.9339.
  • Windows 10 Version 1809 systems running builds earlier than 17763.9020.
  • Windows 10 Version 21H2 systems running builds earlier than 19044.7548.
  • Windows 10 Version 22H2 systems running builds earlier than 19045.7548.
  • Windows 11 Version 24H2 systems running builds earlier than 26100.8875.
  • Windows 11 Version 25H2 systems running builds earlier than 26200.8875.
  • Windows 11 version 26H1 systems below the applicable July servicing build.
The server list includes Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations are explicitly represented for several releases, undercutting any assumption that the absence of the full graphical Microsoft Store experience removes exposure.
That breadth suggests the vulnerable functionality resides in a shared Windows application-deployment or Store-support component rather than only in the visible Microsoft Store client. The product label “Windows App Store” can therefore be misleading for inventory decisions: a machine does not necessarily need users browsing the Store for its underlying operating-system component to require patching.
Among the updates tied to the vulnerability, Microsoft lists KB5099538 for Windows Server 2019 and Windows 10 Version 1809, raising those systems to OS Build 17763.9020. Windows Server 2022 receives KB5099540 and advances to OS Build 20348.5386. Other supported branches receive their corresponding July 14 cumulative security update.
Because Windows cumulative updates supersede earlier fixes, administrators should use the Security Update Guide and their normal servicing catalog to match each device with the correct package. The safe compliance test is whether the installed build equals or exceeds Microsoft’s corrected build for that servicing branch—not whether the Microsoft Store application shows a recent update date.

Store Restrictions Are Not a Substitute for Patching​

Enterprises commonly disable the Store interface, restrict Store purchases, block consumer Microsoft accounts, or manage applications through Microsoft Intune and Configuration Manager. Those controls can reduce user-driven software installation, but they should not be treated as mitigation for CVE-2026-42900.
The vulnerability is being serviced through Windows security updates across desktop and server products. That points to an operating-system component whose presence and exposure cannot be judged solely by whether users can open the Store window.
Administrators should prioritize the regular July cumulative update and verify the resulting OS build. Systems unable to install the update immediately should receive additional scrutiny for unexpected network activity, unusual child processes launched by application-management services, and privilege changes associated with Store or application-deployment components.
Microsoft has not documented a separate workaround in the publicly available information. Disabling Store access, removing shortcuts, or blocking the Store executable may therefore create a false sense of protection while leaving the affected Windows infrastructure installed.
Security teams should also distinguish CVE-2026-42900 from malicious or vulnerable third-party applications delivered through the Microsoft Store. This flaw is attributed to Microsoft’s Windows App Store implementation itself; auditing the installed-app list is useful security hygiene, but it does not remediate the underlying race condition.

An 8.1 Score Deserves Prompt Deployment, Not Panic​

CVE-2026-42900 combines a high CVSS score, broad platform coverage, memory-safety weakness, and a stated network attack path. Those properties justify prompt deployment, particularly on multi-user endpoints, session hosts, exposed servers, and machines where application deployment services interact with less-trusted networks.
At publication time, however, the public record does not establish widespread exploitation or the availability of proof-of-concept code. Microsoft has also released only a concise vulnerability description, leaving key prerequisites and the reliability of exploitation unclear.
That uncertainty should shape prioritization rather than delay it. A race-condition exploit can be difficult to make dependable, but once researchers understand the corrected code, comparing patched and unpatched binaries may expose the vulnerable sequence. The technical barrier can fall after an update ships even when the original advisory is sparse.
For Windows administrators, the action is straightforward: deploy the July 14, 2026 cumulative security updates, confirm the corrected build on every applicable client and server branch, and do not count Store policy restrictions as remediation. The next meaningful milestone will be whether Microsoft revises the advisory with exploitability information or security researchers publish technical details that clarify how readily the network-based race condition can be triggered.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top