MEDIUM 5.5

CVE-2026-45604: Windows AppID Out-of-Bounds Read Vulnerability

A flaw in Windows Application Identity (AppID) Subsystem allows an already-logged-in user to read memory they shouldn't have access to, potentially exposing sensitive information. An attacker would need legitimate local credentials and active system access to exploit it. This is a local-only disclosure issue with no ability to crash the system or modify data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
9 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Out-of-bounds read in Windows Application Identity (AppID) Subsystem allows an authorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45604 is an out-of-bounds read vulnerability (CWE-125) in the Windows AppID subsystem. The flaw permits an authenticated local user to access memory regions outside intended boundaries, leading to information disclosure. The CVSS 3.1 score of 5.5 (Medium) reflects the requirement for local access and prior authentication, combined with high confidentiality impact but no integrity or availability compromise. The attack vector is local, requires low complexity, and no user interaction.

Business impact

Information disclosure through this vulnerability could expose configuration data, credentials, or other sensitive memory contents accessible to the AppID service. For organizations running Windows 11 or Windows Server 2025, the risk is primarily one of data confidentiality. Affected users must already be authenticated locally, limiting the blast radius. However, in environments where local account compromise is plausible, this becomes a secondary escalation path for harvesting sensitive information post-breach.

Affected systems

Microsoft Windows 11 versions 23H2, 24H2, 25H2, and 26H1 are affected, as well as Windows Server 2025. The vulnerability does not affect earlier Windows versions or Windows 10. Organizations running any of these current Windows 11 releases or Windows Server 2025 should evaluate their exposure based on the number of authenticated local users and the sensitivity of information stored in AppID-related memory regions.

Exploitability

Exploitation requires prior authentication to the target system and local access. No network exploitation is possible. The attack is straightforward to execute once access is obtained—the vulnerability does not require special privileges or complex interaction. However, the practical impact depends on what sensitive data happens to be resident in AppID memory at the time of exploitation. This is not listed on the CISA KEV catalog, indicating no evidence of active in-the-wild exploitation as of the publication date.

Remediation

Microsoft has released security updates addressing this vulnerability. Users should apply Windows Updates when available for their specific Windows 11 version or Windows Server 2025 installation. Organizations should prioritize systems with high user turnover or shared local accounts. Interim mitigations include restricting local login privileges and monitoring for unusual local access patterns.

Patch guidance

Verify the latest security updates from Microsoft for Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2025 through Windows Update or the Microsoft Security Update Guide. Apply patches in a phased manner, starting with internet-facing systems and those supporting remote work environments. Test patches in a non-production environment first to ensure compatibility with dependent applications and services.

Detection guidance

Monitor for unusual access to AppID subsystem services using Windows Event Viewer and security event logs. Look for attempts to enumerate or read memory from AppID-related processes. Advanced detection can leverage endpoint detection and response (EDR) tools to flag suspicious memory access patterns or anomalous AppID subsystem calls from low-privilege user processes. Correlate local login activity with subsequent suspicious system calls to identify potential exploitation attempts.

Why prioritize this

This vulnerability warrants medium-priority patching. While the CVSS score is 5.5 and exploitation requires prior authentication, it offers a path to sensitive information disclosure in the post-compromise phase. Organizations with high-security environments, shared lab systems, or high-risk user populations should accelerate patching. The absence of active exploitation and lack of availability impact make it lower-priority than critical remote code execution flaws, but still important to address within standard patch cycles.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects a locally accessible vulnerability requiring authenticated access, but with high confidentiality impact. The absence of integrity or availability impact and the requirement for prior authentication keep the score in the Medium band. Organizations should still prioritize this in their standard maintenance windows, as post-compromise information disclosure can significantly aid attackers in lateral movement or privilege escalation.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local access to the system and prior authentication. Remote exploitation is not possible.

What information could be disclosed through this flaw?

The specific information exposed depends on what data is resident in AppID subsystem memory at the time of exploitation. Potential targets include configuration data, security tokens, or other process memory contents. The actual impact varies by system state and workload.

Is this vulnerability currently being actively exploited in the wild?

No. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date, indicating no evidence of active exploitation.

Which systems should I prioritize for patching?

Prioritize any Windows 11 (23H2, 24H2, 25H2, 26H1) or Windows Server 2025 systems with multiple local users, shared accounts, or support for remote work scenarios where local compromise is plausible.

This analysis is based on publicly available vulnerability data as of June 2026. Patch availability, vendor statements, and exploitation status may change. Organizations should verify specific patch versions against official Microsoft security advisories before deployment. This summary does not constitute legal, compliance, or procurement advice. Always test updates in a non-production environment and consult with your security team regarding prioritization within your specific threat model and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).