Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Out-of-bounds read in Windows Application Identity (AppID) Subsystem allows an authorized attacker to disclose information locally.
AnalysisAI
Out-of-bounds read in the Windows Application Identity (AppID) Subsystem exposes sensitive kernel or process memory to a local authenticated attacker without requiring elevated privileges or user interaction. Affected builds span Windows 11 versions 23H2 through 26H1 and Windows Server 2025, including Server Core installations. No public exploit code has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the high confidentiality impact (CVSS C:H) indicates meaningful data exposure potential when triggered.
Technical ContextAI
The Windows Application Identity (AppID) service underpins AppLocker and software restriction policy enforcement by validating executable identities against policy rules. CWE-125 (Out-of-bounds Read) describes a memory safety flaw where a component reads data beyond the allocated buffer boundary, potentially exposing adjacent memory regions containing sensitive data such as credentials, cryptographic material, or kernel structures. The CVSS vector (AV:L/AC:L/PR:L) confirms this is a local, low-complexity flaw requiring only a standard (non-elevated) user account. Affected CPE targets include Windows 11 build lines from 10.0.22631 (23H2) through 10.0.28000 (26H1) and Windows Server 2025 at build 10.0.26100, per EUVD-2026-35553 data.
RemediationAI
Apply the Microsoft security update that brings affected builds to or above the following fixed versions: Windows 11 26H1 → 10.0.28000.2269; Windows 11 25H2 → 10.0.26200.8655; Windows 11 24H2 → 10.0.26100.8655; Windows 11 23H2 → 10.0.22631.7219; Windows Server 2025 and Server Core → 10.0.26100.32995. Updates are available via Windows Update, WSUS, and Microsoft Update Catalog - consult https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45604 for direct download links. If immediate patching is not feasible on a sensitive system, a compensating control is to restrict interactive and remote logon rights to the affected host to only named, trusted administrators via Group Policy (User Rights Assignment: 'Allow log on locally' and 'Allow log on through Remote Desktop Services'), reducing the attacker pool. This control does not eliminate the vulnerability but raises the bar to high-privileged accounts only. Note that disabling the AppID service itself would break AppLocker enforcement, which is a significant security regression and is not recommended as a workaround.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35553
GHSA-95c9-4wfm-w24v