Skip to main content

Windows AppID EUVDEUVD-2026-29602

| CVE-2026-34343 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-12 microsoft GHSA-gpjx-hc3r-xfq8
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:34 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
HIGH 7.8

DescriptionCVE.org

Heap-based buffer overflow in Windows Application Identity (AppID) Subsystem allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Application Identity (AppID) Subsystem allows low-privileged authenticated users to execute code as SYSTEM via heap buffer overflow. Microsoft has released security patches across Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-26H1), and Windows Server 2012. CVSS 7.8 score reflects high impact to confidentiality, integrity, and availability. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. Requires existing local access with standard user privileges, limiting remote attack surface.

Technical ContextAI

The Windows Application Identity (AppID) service enforces AppLocker policies and Software Restriction Policies, running with elevated SYSTEM privileges to determine whether applications are allowed to execute. The vulnerability is a heap-based buffer overflow (CWE-122) occurring when AppID processes untrusted input, allowing memory corruption on the heap. Heap overflows enable attackers to overwrite function pointers, metadata structures, or other critical memory regions to redirect execution flow. The CPE data indicates broad exposure across Windows 10 versions 1607 through 22H2, Windows 11 versions 22H3 through 26H1 (including future releases), and Windows Server 2012. The local attack vector (AV:L) combined with low complexity (AC:L) and low privileges required (PR:L) means any authenticated standard user can trigger the vulnerability without complex preconditions, making this exploitable by malware, insider threats, or second-stage payloads following initial compromise.

RemediationAI

Apply Microsoft's security updates immediately via Windows Update or WSUS according to the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34343, which contains specific KB article numbers and patched build versions for each affected Windows release. Organizations unable to patch immediately should implement defense-in-depth controls: restrict interactive logon rights to minimize standard user access to sensitive systems, deploy application control beyond AppLocker (such as Windows Defender Application Control in enforcement mode) to limit malware execution, enable Attack Surface Reduction (ASR) rules to block suspicious process behaviors, and monitor Windows event logs for AppID service crashes or abnormal behavior (Event IDs in Application Identity service logs). Note that disabling the AppID service breaks AppLocker policy enforcement and is not recommended; instead prioritize rapid patching through emergency change windows for critical infrastructure. Segment networks to contain privilege escalation impact using micro-segmentation or tiered access models where compromised standard user accounts cannot pivot to domain controllers or high-value assets.

Share

EUVD-2026-29602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy