Skip to main content

Windows Shell EUVDEUVD-2026-35595

| CVE-2026-42906 MEDIUM
Information Exposure (CWE-200)
2026-06-09 secure@microsoft.com GHSA-v6gv-hf2r-vmgw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 19:01 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 5.5

DescriptionNVD

Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally.

AnalysisAI

Windows Shell exposes sensitive information to locally authenticated, low-privileged attackers without requiring user interaction or elevated privileges. The vulnerability (CWE-200) results in high confidentiality impact, allowing disclosure of sensitive data accessible through the Shell component. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the Microsoft Security Response Center (MSRC) has acknowledged the issue via advisory.

Technical ContextAI

Windows Shell (explorer.exe and associated subsystems) serves as the graphical user interface layer of Microsoft Windows, handling file system browsing, application launching, and inter-process communication. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates that the Shell component improperly exposes data - such as file paths, tokens, environment variables, or registry values - to a low-privileged process or user that should not have access to that information. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms this is a local attack requiring only standard user-level access, with no interaction from other users needed. The scope is unchanged (S:U), meaning the vulnerability does not allow the attacker to break out of the security context of the Shell component itself. No CPE strings were provided in the source data; affected Windows versions must be confirmed via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42906.

RemediationAI

The primary remediation is to apply the vendor-released patch from Microsoft via Windows Update or the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42906. An exact fixed version number was not included in the available source data, so the MSRC advisory must be consulted to confirm the specific KB article and build version that addresses this CVE. As a compensating control where immediate patching is not feasible, organizations should enforce least-privilege access policies to minimize the number of accounts with local interactive logon rights, particularly on shared or sensitive systems. Restricting local logon via Group Policy (Deny log on locally) for non-essential accounts reduces the pool of potential attackers who can reach this vulnerability. Note that this control does not eliminate the vulnerability but reduces attack surface. Auditing and monitoring Windows Shell activity via Sysmon or EDR telemetry can also help detect anomalous local information access attempts pending patch deployment.

Share

EUVD-2026-35595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy