CVE-2026-44800 is a Windows Push Notifications elevation of privilege vulnerability caused by a race condition. Microsoft rates it as CVSS 3.1 7.8 (High) with a temporal score of 6.8. The attack vector is LOCAL, attack complexity is HIGH, privileges required are LOW, and no user interaction is needed; scope is changed. Microsoft says exploitation is not publicly disclosed and not known to be exploited, with exploit code maturity UNPROVEN. If successfully exploited, an attacker could gain SYSTEM privileges. Because this is a local-only issue, it is less relevant to internet-exposed services, but it is still significant for enterprise endpoints and systems where attackers can obtain local code execution or low-privilege access. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH. - Exploitation likelihood: Exploitation Less Likely; vector context is LOCAL with HIGH attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High severity, but lower enterprise exposure than remote/network-facing vulnerabilities because exploitation requires local access and winning a race condition. Risk is most relevant on endpoints and shared Windows systems where attackers can run local code. - Patch status: available Affected systems: - Windows 11 23H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2025