CVE-2026-42907: Windows Shell Information Disclosure (CVSS 6.5)
CVE-2026-42907 is a medium-severity information disclosure vulnerability in Windows Shell that allows an authorized user to leak sensitive data over the network. The flaw requires valid credentials to exploit but does not need user interaction, making it a concern for organizations where user trust boundaries are weak or privilege separation is inadequate. No code execution or system damage occurs; the risk is purely confidentiality loss.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability is classified as an information exposure issue (CWE-200) affecting Windows Shell across multiple Windows 10 and Windows 11 versions, as well as Windows Server 2019, 2022, and 2025. The CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible attack vector requiring valid credentials (PR:L), no user interaction needed (UI:N), and high confidentiality impact (C:H) with no integrity or availability impact. The attack surface is limited to authenticated sessions, but the absence of any additional complexity factors means exploitation is straightforward for a malicious insider or compromised account holder.
Business impact
Organizations running affected Windows versions should assess exposure based on their user population and data sensitivity. The vulnerability poses a targeted risk: an insider, compromised service account, or lateral-movement attacker with valid credentials can extract confidential information without leaving obvious traces of high-impact system compromise. This is particularly relevant in environments storing secrets, intellectual property, or PII accessible through Shell mechanisms. For most organizations, this is a medium-priority remediation alongside patching efforts but not an emergency-tier incident driver.
Affected systems
The vulnerability affects a wide range of Microsoft products: Windows 10 (versions 1809, 21H2, and 22H2), all supported Windows 11 versions (23H2, 24H2, 25H2, and 26H1), and Windows Server editions 2019, 2022, and 2025. Organizations should verify which specific versions are deployed in their environment and cross-reference against patch availability. The broad coverage suggests this is a systemic Shell component issue rather than a version-specific defect.
Exploitability
Exploitation requires valid user credentials on a Windows system; there is no unauthenticated attack path. An attacker cannot trigger this remotely without first obtaining legitimate access or compromising an existing user account. The low complexity and lack of user interaction requirements mean that once credentials are available, exploitation is reliable and difficult to defend against at the protocol level. This makes credential hygiene, privileged access management, and behavioral monitoring critical countermeasures.
Remediation
Remediation depends on patch availability from Microsoft for your specific Windows version and build. Monitor the Microsoft Security Update Guide and vendor advisories for CVE-2026-42907 patches; when available, apply updates prioritizing server infrastructure and systems handling sensitive data. Until patches are available, mitigate by restricting Shell access to trusted users, reducing excessive credential distribution, and implementing network segmentation to limit data exposure scope.
Patch guidance
Check Microsoft's official security advisories and the Security Update Guide for patch versions addressing this CVE. Apply updates to affected Windows 10, Windows 11, and Windows Server editions as they become available. Verify patch applicability against your exact OS version and build number before deployment. Test patches in a non-production environment first, particularly for Server editions, to ensure compatibility with business-critical applications.
Detection guidance
Monitor for anomalous Shell activity from user accounts, particularly those with elevated privileges or access to sensitive data. Look for unusual network connections initiated by Shell processes (cmd.exe, powershell.exe, or similar) to external or unexpected destinations. Correlate user login events with Shell process execution outside normal working patterns. Endpoint detection and response (EDR) tools should flag suspicious data access patterns, file operations, or network communication linked to Shell subsystems. Behavioral analytics around information disclosure are more valuable than signature-based detection for this threat.
Why prioritize this
This vulnerability merits medium priority in patch planning. It requires authentication to exploit, limiting the attack surface compared to critical remote code execution flaws. However, the high confidentiality impact and straightforward exploitation path make it more dangerous than typical medium-severity issues. Prioritize systems handling sensitive data, privileged user workstations, and servers in trusted internal networks. For most general-purpose desktops in well-segmented environments with strong credential controls, this is secondary to higher-risk patch priorities.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects the balance between restricted access (authenticated only, PR:L) and substantial harm (C:H, confidentiality). The network attack vector (AV:N) and low complexity (AC:L) prevent a lower score despite the authentication requirement. The zero impact on integrity and availability keeps this out of the high-severity range. For many organizations, the practical risk is lower due to internal-only network positioning of affected systems, but high-value data targets or environments with weak credential controls should treat this more seriously.
Frequently asked questions
Does this vulnerability allow an attacker to execute code or take over a system?
No. CVE-2026-42907 is strictly an information disclosure vulnerability. It allows disclosure of sensitive data over the network but does not enable code execution, privilege escalation, or system takeover. The impact is limited to confidentiality.
Can this be exploited without valid credentials?
No. The vulnerability requires an authenticated user account to trigger. There is no known unauthenticated attack path. This significantly limits the threat model compared to zero-day remote code execution vulnerabilities.
Which Windows versions should we prioritize for patching?
All affected versions warrant patching based on your data sensitivity and user access patterns. Windows Server editions 2019–2025 and Windows 11 (all supported builds) are typical priority targets. Windows 10 versions 1809, 21H2, and 22H2 should follow, depending on your support lifecycle and organizational risk profile.
What immediate steps should we take before patches are available?
Restrict Shell access to essential users only, enforce strong credential policies, implement privileged access management, and use network segmentation to limit lateral movement. Monitor Shell process behavior and network activity from user accounts for suspicious patterns. Consider increasing access controls on sensitive data until patches deploy.
This analysis is provided for informational purposes to support security decision-making. Verify all patch version numbers, affected builds, and vendor advisories directly against Microsoft's official Security Update Guide before deploying updates. This summary does not constitute professional security advice; consult your security team and vendor documentation for your specific environment. CVSS scores reflect general severity but may not align with your organizational risk tolerance or data criticality. No liability is assumed for decisions made based on this content. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11182MEDIUMChrome SVG Cross-Origin Data Leak Vulnerability
- CVE-2026-11209MEDIUMGoogle Chrome Password Memory Disclosure (CVSS 6.5)
- CVE-2026-11271MEDIUMChrome Password Feature Information Disclosure Vulnerability
- CVE-2026-42906MEDIUMWindows Shell Information Disclosure Vulnerability
- CVE-2026-42970MEDIUMWindows Push Notification Information Disclosure Vulnerability