CVE-2026-42974 Overview
CVE-2026-42974 is an integer underflow vulnerability (CWE-190) affecting the Windows Performance Monitor component across multiple supported Windows client and server releases. An unauthenticated attacker can trigger the wraparound condition over the network to execute arbitrary code on the target system. Microsoft published the advisory on June 9, 2026, and assigned the issue a CVSS 3.1 base score of 8.1 with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Exploitation does not require user interaction, but the high attack complexity reflects timing and memory-state conditions the attacker must satisfy. No public proof-of-concept exists, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of writing.
Critical Impact
Successful exploitation grants remote code execution without authentication or user interaction, exposing endpoints and servers to full system compromise.
Affected Products
- Microsoft Windows 11 (versions 23H2, 24H2, 25H2, 26H1) on x64 and ARM64
- Microsoft Windows Server 2022
- Microsoft Windows Server 2025 (x64)
Discovery Timeline
- 2026-06-09 - CVE-2026-42974 published to the National Vulnerability Database
- 2026-06-09 - Microsoft releases security update for CVE-2026-42974
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-42974
Vulnerability Analysis
The flaw resides in the Windows Performance Monitor (perfmon) subsystem, which collects and processes performance counter data from local and remote sources. A network-reachable code path performs arithmetic on a length or size field without enforcing a lower bound. When an attacker supplies a crafted value, the subtraction wraps around the unsigned integer space and produces a very large size value. The component then uses this miscalculated size to drive a subsequent memory operation, corrupting adjacent memory structures. The vulnerability falls under CWE-190 (Integer Overflow or Wraparound) and yields full confidentiality, integrity, and availability impact when chained with a working memory primitive.
Root Cause
The root cause is missing validation of an attacker-influenced size or count value before unsigned arithmetic. Performance counter and instance data parsed from the network can drive a length calculation below zero, wrapping to a large positive value. Downstream allocators and copy routines trust this value, leading to controlled out-of-bounds memory access.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker sends a malformed performance data request or response to a system exposing the Performance Monitor interface over the network. The high attack complexity indicates the attacker must win a race or place memory in a specific layout to achieve reliable code execution. See the Microsoft Security Update CVE-2026-42974 advisory for protocol-level details.
Detection Methods for CVE-2026-42974
Indicators of Compromise
- Unexpected perfmon.exe, wmiprvse.exe, or svchost.exe child processes spawning command interpreters such as cmd.exe or powershell.exe.
- Crashes or unusual restarts of services hosting performance counter providers, recorded under Windows Event ID 1000 or 7031.
- Inbound RPC or SMB sessions to performance counter endpoints from untrusted network segments.
Detection Strategies
- Hunt for anomalous remote performance data queries against domain controllers, file servers, and workstations.
- Correlate process lineage where perfmon-related binaries load unsigned modules or allocate executable memory regions.
- Apply behavioral AI models from the Singularity Endpoint agent to flag memory corruption patterns and post-exploitation activity at machine speed.
Monitoring Recommendations
- Ingest Sysmon Event ID 1, 7, and 10 logs into Singularity Data Lake to baseline normal Performance Monitor behavior and surface deviations.
- Monitor for outbound connections initiated by performance counter host processes immediately after inbound RPC traffic.
- Use Purple AI natural language queries to pivot across endpoint, identity, and network telemetry when investigating suspected exploitation.
How to Mitigate CVE-2026-42974
Immediate Actions Required
- Apply the Microsoft June 2026 security updates to all affected Windows 11 and Windows Server builds without delay.
- Inventory systems exposing performance counter interfaces to untrusted networks and prioritize them for patching.
- Restrict inbound RPC and SMB traffic at the perimeter and between network segments to authorized administrative hosts only.
Patch Information
Microsoft has issued cumulative security updates that correct the bounds check in the Performance Monitor code path. Refer to the Microsoft Security Update CVE-2026-42974 advisory for the KB article numbers that apply to each affected build, including Windows 11 23H2, 24H2, 25H2, 26H1, Windows Server 2022, and Windows Server 2025.
Workarounds
- Block TCP ports 135, 139, and 445 from untrusted networks where remote performance monitoring is not required.
- Disable the Remote Registry service on hosts that do not require remote performance counter collection.
- Enforce authenticated RPC and apply Windows Defender Firewall rules limiting Performance Monitor access to specific management subnets.
# Configuration example: block inbound SMB and restrict RPC on Windows hosts
New-NetFirewallRule -DisplayName "Block SMB Inbound" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
New-NetFirewallRule -DisplayName "Restrict RPC EPMAP" -Direction Inbound -Protocol TCP -LocalPort 135 -RemoteAddress 10.0.0.0/24 -Action Allow
Set-Service -Name RemoteRegistry -StartupType Disabled
Stop-Service -Name RemoteRegistry -Force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
