CVE-2026-42825 Overview
CVE-2026-42825 is a use-after-free vulnerability [CWE-416] in the Windows Telephony Service that allows an authenticated local attacker to elevate privileges. The flaw affects a broad range of Microsoft Windows client and server releases, from Windows 10 1607 through Windows 11 26h1, and from Windows Server 2012 through Windows Server 2025. Successful exploitation grants high impact to confidentiality, integrity, and availability on the affected host. Microsoft published the advisory on May 12, 2026 and updated it on May 14, 2026.
Critical Impact
A successful exploit allows an authorized local user to elevate privileges on the affected Windows host, gaining high impact on confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) on x86, x64, and arm64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) on x64 and arm64
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-42825 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42825
Vulnerability Analysis
The vulnerability resides in the Windows Telephony Service, the system component that handles Telephony Application Programming Interface (TAPI) requests for voice, data, fax, and call control. The defect is a use-after-free condition classified under [CWE-416]. The service references a memory object after that object has been freed, allowing an attacker who controls the reallocation of that memory to influence subsequent code paths within a privileged process. Exploitation requires local access and low-privileged authentication, but no user interaction. The attack complexity is high, indicating that the attacker must win a race or satisfy non-trivial preconditions to reach the vulnerable code reliably.
Root Cause
The root cause is improper lifetime management of a heap object inside the Telephony Service. After the object is freed, a dangling pointer remains reachable through a code path that dereferences it as if it were still valid. When an attacker reallocates the freed slot with attacker-controlled data before the dereference occurs, the service operates on adversary-shaped memory while running in a higher-privileged context.
Attack Vector
The attacker must already have an authenticated session on the target system with low privileges. The attacker invokes Telephony Service interfaces from a local process to trigger the free, then races to reallocate the slot with controlled contents before the service reuses the dangling pointer. The result is local privilege elevation, with no user interaction required. No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.04%.
No verified exploitation code is publicly available. See the Microsoft Security Update CVE-2026-42825 advisory for vendor technical details.
Detection Methods for CVE-2026-42825
Indicators of Compromise
- Unexpected crashes or restarts of the TapiSrv service or the hosting svchost.exe instance running the Telephony Service.
- Creation of new local administrator accounts, services, or scheduled tasks shortly after Telephony Service anomalies.
- Low-privileged processes spawning child processes that run with SYSTEM or elevated tokens.
Detection Strategies
- Monitor Windows Error Reporting and the Application event log for faulting modules associated with the Telephony Service or tapisrv.dll.
- Alert on access to Telephony Service Remote Procedure Call (RPC) interfaces from non-standard or newly installed user-mode processes.
- Correlate local logon events with subsequent token elevation or process integrity-level changes to surface privilege escalation chains.
Monitoring Recommendations
- Enable Microsoft-Windows-RPC and Sysmon process and image-load logging on Windows endpoints and servers.
- Track service stop and start events for the Telephony Service across managed hosts and forward them to a centralized analytics pipeline.
- Baseline normal Telephony Service callers in the environment and alert on deviations, particularly on servers where telephony functionality is unused.
How to Mitigate CVE-2026-42825
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update CVE-2026-42825 advisory across all affected Windows client and server builds.
- Inventory all Windows 10, Windows 11, and Windows Server systems using the affected CPE list and prioritize multi-user systems and terminal servers.
- Restrict interactive and remote desktop logon rights to reduce the population of low-privileged accounts that could reach the local attack surface.
Patch Information
Microsoft has released patches addressed through the May 2026 security update cycle. The fix is documented in the Microsoft Security Update CVE-2026-42825 advisory and applies to all listed Windows 10, Windows 11, and Windows Server versions.
Workarounds
- Disable the Windows Telephony Service (TapiSrv) on systems that do not require Telephony Application Programming Interface functionality, after validating no business applications depend on it.
- Enforce least privilege and remove local administrative rights from standard user accounts to limit the impact of any successful privilege escalation.
- Apply application control policies, such as Windows Defender Application Control, to block unsigned or untrusted binaries that could be used to stage local exploitation.
# Configuration example: stop and disable the Telephony Service where not required
sc.exe stop TapiSrv
sc.exe config TapiSrv start= disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
