Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally.
AnalysisAI
Windows Shell exposes sensitive information to locally authenticated, low-privileged attackers without requiring user interaction or elevated privileges. The vulnerability (CWE-200) results in high confidentiality impact, allowing disclosure of sensitive data accessible through the Shell component. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the Microsoft Security Response Center (MSRC) has acknowledged the issue via advisory.
Technical ContextAI
Windows Shell (explorer.exe and associated subsystems) serves as the graphical user interface layer of Microsoft Windows, handling file system browsing, application launching, and inter-process communication. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates that the Shell component improperly exposes data - such as file paths, tokens, environment variables, or registry values - to a low-privileged process or user that should not have access to that information. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms this is a local attack requiring only standard user-level access, with no interaction from other users needed. The scope is unchanged (S:U), meaning the vulnerability does not allow the attacker to break out of the security context of the Shell component itself. No CPE strings were provided in the source data; affected Windows versions must be confirmed via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42906.
RemediationAI
The primary remediation is to apply the vendor-released patch from Microsoft via Windows Update or the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42906. An exact fixed version number was not included in the available source data, so the MSRC advisory must be consulted to confirm the specific KB article and build version that addresses this CVE. As a compensating control where immediate patching is not feasible, organizations should enforce least-privilege access policies to minimize the number of accounts with local interactive logon rights, particularly on shared or sensitive systems. Restricting local logon via Group Policy (Deny log on locally) for non-essential accounts reduces the pool of potential attackers who can reach this vulnerability. Note that this control does not eliminate the vulnerability but reduces attack surface. Auditing and monitoring Windows Shell activity via Sysmon or EDR telemetry can also help detect anomalous local information access attempts pending patch deployment.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35595
GHSA-v6gv-hf2r-vmgw