Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
Out-of-bounds read in Windows Telephony Service allows an authorized attacker to disclose information locally.
AnalysisAI
Out-of-bounds read in the Windows Telephony Service exposes sensitive memory contents to locally authenticated attackers across a broad range of Windows client and server versions. The flaw (CWE-125) is exploitable with only low privileges and no user interaction, yielding high confidentiality impact while leaving integrity and availability unaffected. No public exploit code or active exploitation has been identified; CISA's SSVC framework rates this as non-automatable with partial technical impact, placing it at medium operational priority.
Technical ContextAI
The Windows Telephony Service implements Microsoft's Telephony Application Programming Interface (TAPI), a subsystem enabling voice, data, and fax communications for applications. CWE-125 (Out-of-bounds Read) identifies the root cause as an improper bounds check during a memory read operation within the service - the code reads beyond the intended buffer boundary, returning data from adjacent memory regions. The CVSS vector AV:L/AC:L/PR:L/UI:N indicates the vulnerable code path is accessible to standard, low-privilege local users interacting with the telephony service API without requiring elevated rights. Notably, the source data includes a 'Buffer Overflow' tag; this appears to be a loose categorization, as the authoritative CWE-125 classifies this as an out-of-bounds read rather than a write - a meaningful distinction since reads disclose memory rather than corrupt it. Affected CPE strings span Windows builds from 6.2.9200 (Server 2012) through 10.0.28000 (Windows 11 26H1), confirming the vulnerability is present across many generations of the Windows codebase.
RemediationAI
Apply the Microsoft security update for each affected Windows version as documented in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42968. Per EUVD-2026-35728 version range data, the minimum fixed builds are: Windows Server 2012 to 6.2.9200.26132, Windows Server 2012 R2 to 6.3.9600.23228, Windows Server 2016 and Windows 10 1607 to 10.0.14393.9234, Windows Server 2019 and Windows 10 1809 to 10.0.17763.8880, Windows Server 2022 to 10.0.20348.5256, Windows 10 21H2 to 10.0.19044.7417, Windows 10 22H2 to 10.0.19045.7417, Windows 11 23H2 to 10.0.22631.7219, Windows 11 24H2 and Windows Server 2025 to 10.0.26100.8655 (client) and 10.0.26100.32995 (server), Windows 11 25H2 to 10.0.26200.8655, and Windows 11 26H1 to 10.0.28000.2269. Where immediate patching is not feasible, a targeted compensating control is to disable the Windows Telephony Service (tapisrv) on systems that do not require TAPI functionality - this can be done via Services MMC or 'sc config tapisrv start= disabled' followed by a service stop. Trade-off: disabling tapisrv will break any application relying on TAPI for voice, modem, or fax communication. Additionally, restricting local interactive logon rights on sensitive systems to minimize the pool of users who could trigger the vulnerable code path reduces exposure without functional impact.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35728
GHSA-hjx2-grp5-hc9f