Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Heap-based buffer overflow in Windows Application Identity (AppID) Subsystem allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Application Identity (AppID) Subsystem allows low-privileged authenticated users to execute code as SYSTEM via heap buffer overflow. Microsoft has released security patches across Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-26H1), and Windows Server 2012. CVSS 7.8 score reflects high impact to confidentiality, integrity, and availability. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. Requires existing local access with standard user privileges, limiting remote attack surface.
Technical ContextAI
The Windows Application Identity (AppID) service enforces AppLocker policies and Software Restriction Policies, running with elevated SYSTEM privileges to determine whether applications are allowed to execute. The vulnerability is a heap-based buffer overflow (CWE-122) occurring when AppID processes untrusted input, allowing memory corruption on the heap. Heap overflows enable attackers to overwrite function pointers, metadata structures, or other critical memory regions to redirect execution flow. The CPE data indicates broad exposure across Windows 10 versions 1607 through 22H2, Windows 11 versions 22H3 through 26H1 (including future releases), and Windows Server 2012. The local attack vector (AV:L) combined with low complexity (AC:L) and low privileges required (PR:L) means any authenticated standard user can trigger the vulnerability without complex preconditions, making this exploitable by malware, insider threats, or second-stage payloads following initial compromise.
RemediationAI
Apply Microsoft's security updates immediately via Windows Update or WSUS according to the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34343, which contains specific KB article numbers and patched build versions for each affected Windows release. Organizations unable to patch immediately should implement defense-in-depth controls: restrict interactive logon rights to minimize standard user access to sensitive systems, deploy application control beyond AppLocker (such as Windows Defender Application Control in enforcement mode) to limit malware execution, enable Attack Surface Reduction (ASR) rules to block suspicious process behaviors, and monitor Windows event logs for AppID service crashes or abnormal behavior (Event IDs in Application Identity service logs). Note that disabling the AppID service breaks AppLocker policy enforcement and is not recommended; instead prioritize rapid patching through emergency change windows for critical infrastructure. Segment networks to contain privilege escalation impact using micro-segmentation or tiered access models where compromised standard user accounts cannot pivot to domain controllers or high-value assets.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29602
GHSA-gpjx-hc3r-xfq8