Skip to main content

Azure Attestation Service CVE-2026-45642

| EUVDEUVD-2026-35689 LOW
Improper Input Validation (CWE-20)
2026-06-09 secure@microsoft.com GHSA-6xx7-8vwc-676h
3.9
CVSS 3.1 · NVD
Temporal: 3.4

Severity by source

NVD PRIMARY
3.9 LOW
AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CIRCL (temporal)
3.4 LOW
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:38 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD

DescriptionNVD

Improper input validation in Microsoft Azure Attestation service and Device Health Attestation Service allows an authorized attacker to perform spoofing with a physical attack.

AnalysisAI

Spoofing via improper input validation affects Microsoft Azure Attestation service and the Device Health Attestation Service component across a broad range of Windows OS versions, from Windows Server 2012 through Windows Server 2025 and Windows 10/11. An authorized attacker with high privileges and physical access to the target device can manipulate attestation inputs to spoof device health or platform integrity status, achieving a high-integrity impact with no confidentiality or availability consequence. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.9 (Low) reflects the significant physical and privilege barriers to exploitation.

Technical ContextAI

The Device Health Attestation (DHA) Service and Azure Attestation service rely on CWE-20 (Improper Input Validation) as the root cause - the attestation pipeline fails to adequately validate input data supplied during a physical interaction, allowing crafted or manipulated measurements to be accepted as legitimate. Attestation services are designed to cryptographically verify the integrity of a device's boot chain and platform state (e.g., TPM measurements, Secure Boot status) to produce a trusted health claim. When input validation is insufficient, an attacker with physical access and high system privileges could submit falsified measurement data to the attestation pipeline, causing the service to produce a fraudulent but signed attestation report. The affected surface spans Windows OS implementations of the DHA Service across multiple generations, as evidenced by the EUVD-confirmed CPE ranges covering Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server 2012 through 2025.

RemediationAI

Vendor-released patches are available for all affected Windows versions via the Microsoft Security Response Center. Administrators should apply the cumulative updates that bring affected builds to or above the fixed versions listed in EUVD-2026-35689: Windows Server 2025 to 10.0.26100.32995 or later, Windows Server 2022 to 10.0.20348.5256 or later, Windows Server 2019 to 10.0.17763.8880 or later, Windows Server 2016 to 10.0.14393.9234 or later, Windows 11 to the respective patched builds per channel, and Windows 10 to 10.0.19044.7417 / 10.0.19045.7417 or later depending on version. The full advisory and update packages are available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45642. As a compensating control prior to patching, organizations relying on device attestation for conditional access or compliance should enforce physical security controls (locked server rooms, USB port restrictions, chassis intrusion detection) to eliminate the physical access prerequisite. Restricting high-privilege account usage on attestation-sensitive systems also reduces exposure. Note that physical security controls carry operational overhead and do not address the underlying software defect.

Share

CVE-2026-45642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy