Use After Free Vulnerability in Windows Deployment Services by Microsoft
CVE-2026-42987

8.1HIGH

Key Information:

Vendor: Microsoft
Status: Windows Server 2012; Windows Server 2012 (server Core Installation); Windows Server 2012 R2; Windows Server 2012 R2 (server Core Installation)
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-42987?

A use after free vulnerability in Windows Deployment Services (WDS) exposes systems to unauthorized network code execution. This issue arises when an attacker gains access to deallocated memory that is still referenced in the program. Exploiting this vulnerability could allow remote adversaries to execute arbitrary code within the context of the service, potentially compromising sensitive information or altering system operations. Users and administrators are advised to apply the recommended patches and monitor their systems to safeguard against possible exploits.

Affected Version(s)

Windows Server 2012 (Server Core installation) x64-based Systems 6.2.9200.0 < 6.2.9200.26132

Windows Server 2012 R2 (Server Core installation) x64-based Systems 6.3.9600.0 < 6.3.9600.23228

Windows Server 2012 R2 x64-based Systems 6.3.9600.0 < 6.3.9600.23228

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42987 Data

JSON