CVE-2026-42987: Windows Deployment Services (WDS) Remote Code Execution

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Use after free in Windows Deployment Services allows an unauthorized attacker to execute code over a network.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. How could an attacker exploit this vulnerability? An attacker could send specially crafted network requests to a Windows Server system that has the Windows Deployment Services (WDS) role enabled and is listening for TFTP traffic. By triggering an error in how the server handles simultaneous requests, an unauthenticated remote attacker could cause the service to use invalid memory, which could allow the attacker to run code on the affected server.

Affected Products (12)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2025 (Server Core installation)
• Windows Server 2025
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

ESU

• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (6)

• 5094123
• 5094128
• 5094125
• 5094122
• 5094042
• 5094041

Acknowledgments

R4nger with Kunlun Lab & Zhiniang Peng with HUST

Revision History

• 2026-06-09: Information published.