Skip to main content

Microsoft CVE-2026-32085

| EUVDEUVD-2026-22518 MEDIUM
Information Exposure (CWE-200)
2026-04-14 microsoft
5.5
CVSS 3.1 · NVD
Temporal: 4.8
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
4.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:41 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22518
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
MEDIUM 5.5

DescriptionCVE.org

Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an authorized attacker to disclose information locally.

AnalysisAI

Windows Remote Procedure Call (RPC) discloses sensitive information to local authenticated users in Windows 10, Windows 11, and Windows Server 2016-2025. An authorized attacker with local access and limited privileges can read confidential data without user interaction, affecting multiple Windows editions across a 9-year product span. Patch availability confirmed from Microsoft; no active exploitation reported.

Technical ContextAI

Windows RPC is a core inter-process communication mechanism enabling local and remote service invocation across Windows systems. The vulnerability stems from an information disclosure flaw (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) within the RPC runtime, likely permitting an authenticated local process to access memory regions or RPC communication buffers containing sensitive data that should be restricted. The flaw affects the RPC subsystem across Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, Windows Server 2016, 2019, 2022, and 2025. CPE data identifies all major client and server SKUs, indicating a platform-wide exposure rather than a component-specific issue.

RemediationAI

Vendor-released patch is available from Microsoft. Apply the latest cumulative security update for your Windows version via Windows Update, WSUS, or manual download from the Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32085). For Windows 10 Version 1607, update to build 10.0.14393.9060 or later; Windows 10 Version 1809 and Server 2019, update to 10.0.17763.8644 or later; Windows 10 Version 21H2, update to 10.0.19044.7184 or later; Windows 10 Version 22H2, update to 10.0.19045.7184 or later; Windows 11 22H3/23H2, update to 10.0.22631.6936 or later; Windows 11 24H2 and Server 2025, update to 10.0.26100.32690 or later; Windows Server 2016, update to 10.0.14393.9060 or later; Windows Server 2022, update to 10.0.20348.5020 or later; Windows Server 2022 23H2, update to 10.0.25398.2274 or later; Windows 11 26H1, update to 10.0.28000.1836 or later. No workarounds are documented; patching is the primary mitigation.

Share

CVE-2026-32085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy