CVE-2026-42900 is a Microsoft Windows App Store elevation of privilege vulnerability caused by a race condition / improper synchronization in concurrent execution using a shared resource. Microsoft rates it as High severity with a CVSS v3.1 base score of 8.1 and temporal score of 7.1. The vector is network-based with high attack complexity, no privileges required, no user interaction, and unchanged scope, with high confidentiality, integrity, and availability impact. Microsoft states it is not publicly disclosed, not exploited, and exploit code maturity is unproven; the FAQ says successful exploitation requires an attacker to win a race condition. This is relevant to enterprise Windows deployments because it affects multiple Windows client and server versions, though the high attack complexity lowers practical exposure compared with low-complexity remote issues. Highlights: - CVSS scores: Base 8.1 - Temporal 7.1 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Latest Software Release: Exploitation Unlikely; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege with HIGH confidentiality, HIGH integrity, and HIGH availability impacts. - Exploitation likelihood: Microsoft indicates Exploitation Unlikely; the vector is NETWORK with NO privileges required and NO user interaction, but attack complexity is HIGH because exploitation depends on winning a race condition. - Severity for enterprise: High technical severity due to network-reachable attack surface and no auth or interaction requirements, but the high attack complexity reduces the likelihood of reliable remote exploitation. - Patch status: available; customer action required. Affected systems: - Windows 10 1607 - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server 2025