Skip to main content

Windows Shell CVE-2026-42907

| EUVDEUVD-2026-35596 MEDIUM
Information Exposure (CWE-200)
2026-06-09 secure@microsoft.com GHSA-25wx-66jf-2p4j
6.5
CVSS 3.1 · Vendor: microsoft
Temporal: 5.7
Share

Severity by source

Vendor (microsoft) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
5.7 MEDIUM
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:01 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 6.5

DescriptionCVE.org

Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally.

AnalysisAI

Information disclosure in Windows Shell exposes sensitive data to authenticated low-privileged attackers, with a confirmed vendor patch available. The vulnerability stems from CWE-200 improper information exposure within the Windows Shell component, allowing confidentiality compromise with no integrity or availability impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact score (C:H) and low attack complexity elevate practical concern for environments where lateral movement or credential harvesting are threat vectors.

Technical ContextAI

Windows Shell is the core user interface layer of Microsoft Windows, responsible for the desktop environment, file system browsing, process execution, and inter-process communication surfaces. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identifies the root cause as a failure to properly restrict access to data that should be protected - in this context, Windows Shell likely fails to enforce access controls on sensitive objects, environment variables, file paths, registry entries, or tokens it processes. The CVSS vector specifies CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a network-reachable attack path requiring low-privilege credentials. However, the CVE description explicitly states the disclosure occurs 'locally,' which is a direct conflict with the AV:N vector - this discrepancy must be resolved with vendor confirmation before assessing remote exploitability.

RemediationAI

The primary remediation is to apply the vendor-released patch from Microsoft available via the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42907. An exact patched version number was not included in the available intelligence data; consult the MSRC advisory to confirm the specific KB article and build. If immediate patching is not feasible and the actual attack vector is confirmed as local (per the description), restrict interactive and remote login access to the affected systems to only trusted, necessary user accounts, minimizing the pool of low-privilege principals who could trigger the disclosure. If the AV:N vector is accurate and the vulnerability is remotely exploitable, consider restricting network access to Windows Shell-adjacent services (e.g., RPC endpoints, SMB, RDS) from untrusted network segments as a compensating control. Note that network segmentation is a partial mitigation only and does not substitute for patching.

CVE-2025-33053 HIGH POC
8.8 Jun 10

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables

CVE-2025-33073 HIGH POC
8.8 Jun 10

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker

CVE-2025-21293 HIGH POC
8.8 Jan 14

Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users

CVE-2025-30397 HIGH POC
7.5 May 13

Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the

CVE-2025-32706 HIGH POC
7.8 May 13

Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne

CVE-2025-21418 HIGH
7.8 Feb 11

Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation

CVE-2026-21510 HIGH POC
8.8 Feb 10

Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta

CVE-2023-38545 CRITICAL POC
9.8 Oct 18

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. Rated critical severity (CVSS 9.8), thi

CVE-2025-47827 MEDIUM POC
4.6 Jun 05

In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph

CVE-2026-21519 HIGH
7.8 Feb 10

Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables

CVE-2025-32701 HIGH
7.8 May 13

Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se

CVE-2025-21391 HIGH
7.1 Feb 11

Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack

Share

CVE-2026-42907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy