CVE-2026-42829 Overview
CVE-2026-42829 is an improper access control vulnerability in the Windows Administrator Protection security feature. An authorized local attacker can bypass the protection mechanism and elevate privileges on affected Windows 11 systems. Microsoft assigned this issue a CVSS 3.1 base score of 7.8 and categorized it under CWE-284: Improper Access Control. The flaw affects Windows 11 versions 24H2, 25H2, and 26H1 on both ARM64 and x64 platforms. Exploitation requires local access and low privileges but no user interaction.
Critical Impact
A local authorized attacker can bypass Windows Administrator Protection to gain elevated privileges, compromising confidentiality, integrity, and availability on affected hosts.
Affected Products
- Microsoft Windows 11 24H2 (ARM64, x64)
- Microsoft Windows 11 25H2 (ARM64, x64)
- Microsoft Windows 11 26H1 (ARM64, x64)
Discovery Timeline
- 2026-06-09 - CVE-2026-42829 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-42829
Vulnerability Analysis
The vulnerability resides in Windows Administrator Protection, a security feature designed to constrain administrative actions and limit the blast radius of compromised admin sessions. Improper access control in the feature allows an attacker with valid local credentials to circumvent the enforcement boundary. Successful exploitation yields high impact on confidentiality, integrity, and availability of the host. The flaw maps to CWE-284: Improper Access Control, indicating the affected component fails to restrict access to a resource from an unauthorized actor.
Root Cause
The root cause is an access control failure within the Windows Administrator Protection enforcement logic. The feature does not adequately validate the authorization context of a caller before granting access to protected administrative operations. This permits a local user with low privileges to perform actions reserved for a fully elevated administrator.
Attack Vector
Exploitation requires local access to the target system and authenticated low-privileged context. No user interaction is needed once the attacker has executed code locally. The attacker leverages the access control gap to bypass Administrator Protection and execute privileged operations. Microsoft has not disclosed public exploitation, and the Microsoft CVE-2026-42829 Advisory provides vendor remediation guidance.
No verified public proof-of-concept code is currently available for this vulnerability. Technical mechanics for the bypass should be obtained from the Microsoft Security Response Center advisory once published.
Detection Methods for CVE-2026-42829
Indicators of Compromise
- Unexpected elevation events in the Windows Security event log where a standard user context transitions to administrative privilege without a corresponding consent prompt.
- Process creation events spawning privileged child processes from medium-integrity parents on Windows 11 24H2, 25H2, or 26H1 hosts.
- Modifications to protected registry hives or system directories performed by accounts that should be constrained by Administrator Protection.
Detection Strategies
- Monitor Windows Event IDs 4672 (special privileges assigned) and 4688 (process creation) for anomalous privilege assignment patterns.
- Correlate token elevation events with the absence of expected UAC or Administrator Protection consent dialogs.
- Baseline normal administrative workflows and alert on deviations such as off-hours elevation or elevation from non-interactive sessions.
Monitoring Recommendations
- Enable detailed audit policies for process creation, privilege use, and account management on Windows 11 endpoints.
- Forward Windows event telemetry to a centralized analytics platform to support cross-host correlation and retroactive hunting.
- Track installation status of Microsoft June 2026 security updates across the fleet using configuration management tooling.
How to Mitigate CVE-2026-42829
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-42829 Advisory to all affected Windows 11 24H2, 25H2, and 26H1 hosts.
- Restrict local logon rights and limit the number of accounts with interactive access to sensitive endpoints.
- Audit local administrator group membership and remove unnecessary privileged accounts.
Patch Information
Microsoft has published remediation guidance through the Microsoft Security Response Center. Refer to the Microsoft CVE-2026-42829 Advisory for the specific KB articles and cumulative updates that address the access control flaw in Administrator Protection on Windows 11 24H2, 25H2, and 26H1.
Workarounds
- No vendor-supplied workaround is documented. Patching is the supported remediation path.
- Enforce the principle of least privilege through Group Policy to reduce the population of accounts capable of triggering the bypass.
- Deploy application control policies such as Windows Defender Application Control (WDAC) to limit unauthorized binaries from running locally.
# Verify installed updates on a Windows 11 host
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
# Audit local administrators group membership
Get-LocalGroupMember -Group "Administrators"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
