CVE-2026-42987 – Windows Deployment Services (WDS) Remote Code Execution

CVE-2026-42987 is a Critical remote code execution vulnerability in Windows Deployment Services caused by a use-after-free flaw. An unauthenticated attacker could send specially crafted network requests to a Windows Server with the WDS role enabled and listening for TFTP traffic. Successful exploitation requires winning a race condition, but could allow code execution on the affected server.

CVSS Score: 8.1
SEVERITY: Critical
THREAT:
This vulnerability affects Windows servers running Windows Deployment Services. An attacker does not need credentials or user interaction. The main risk comes from crafted network requests targeting WDS/TFTP handling, potentially leading to memory misuse and code execution.

EXPLOITS:
Publicly Disclosed: No.
Exploited: No.
Exploitability Assessment: Exploitation Less Likely.
No public exploit, zero-day exploitation, or proof-of-concept code is confirmed in the provided data.

TECHNICAL SUMMARY:
CVE-2026-42987 is caused by a use-after-free vulnerability, identified as CWE-416, in Windows Deployment Services. The issue occurs when WDS mishandles simultaneous network requests and later uses invalid memory. An attacker could exploit this by sending specially crafted requests to a server with WDS enabled and listening for TFTP traffic. The CVSS v3.1 metrics show network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high impact to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected software includes Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including listed Server Core installations.
Exploitation requires network access to a vulnerable WDS server and successful timing of a race condition.

BUSINESS IMPACT:
This vulnerability is dangerous because WDS servers often support operating system deployment and infrastructure provisioning. A successful attack could compromise deployment infrastructure, disrupt imaging services, alter trusted deployment workflows, or provide a foothold for broader server compromise.

WORKAROUND:
No mitigations or workarounds are listed.
Where patching is delayed, restrict network access to WDS/TFTP services, disable WDS where not required, and monitor unusual deployment service traffic.

URGENCY:
This patch should be prioritized because the vulnerability is Critical, remotely reachable, and requires no authentication or user interaction. Although exploitation is more difficult due to the race condition and is assessed as less likely, the impact of code execution on deployment infrastructure is significant.