Skip to main content

Microsoft EUVDEUVD-2026-22378

| CVE-2026-26155 MEDIUM
Buffer Over-read (CWE-126)
2026-04-14 microsoft
6.5
CVSS 3.1 · NVD
Temporal: 5.7
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
5.7 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:40 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22378
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:56 nvd
MEDIUM 6.5

DescriptionCVE.org

Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

AnalysisAI

Microsoft Local Security Authority Subsystem Service (LSASS) information disclosure vulnerability allows authenticated network attackers to read sensitive memory contents via a bounds check bypass in the LSASS process. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), Windows Server 2016, 2019, 2022, and 2025. No public exploit code or active exploitation has been reported; vendor-released patches are available across all affected versions.

Technical ContextAI

The vulnerability resides in the Local Security Authority Subsystem Service (LSASS), a critical Windows system process responsible for authentication, password changes, and security policy enforcement. The root cause is classified as CWE-126 (Buffer Over-read), which occurs when a bounds check is insufficient or missing, allowing an attacker to read memory beyond intended buffer boundaries. LSASS runs with SYSTEM privileges and handles sensitive authentication credentials and tokens in memory. The vulnerability is reachable via network access (CVSS vector AV:N) but requires prior authentication (PR:L), indicating the attacker must already have valid credentials on the target system. The affected components span multiple Windows versions across both client and server editions, as identified through the CPE strings covering Windows 10 editions 1607-22H2, Windows 11 editions 22H3-26H1, and Windows Server 2016-2025.

RemediationAI

Apply vendor-released security patches immediately across all affected systems. For Windows 10 version 1607, update to build 14393.9060 or later; for version 1809, update to 17763.8644 or later; for version 21H2, update to 19044.7184 or later; for version 22H2, update to 19045.7184 or later. For Windows 11 versions 22H3 and 23H2, update to build 22631.6936 or later; for version 24H2, update to 26100.32690 or later; for version 25H2, update to 26200.8246 or later; for version 26H1, update to 28000.1836 or later. For Windows Server 2016, update to build 14393.9060 or later; for Server 2019, update to 17763.8644 or later; for Server 2022, update to 20348.5020 or later (23H2 Edition: 25398.2274 or later); for Server 2025, update to 26100.32690 or later. Consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26155 for deployment guidance. As a compensating control, limit network access to LSASS-dependent services and restrict user account privileges to minimize credential compromise risk.

Share

EUVD-2026-22378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy