CVE-2026-48566: Windows DWM Out-of-Bounds Read Memory Disclosure
CVE-2026-48566 is a memory-reading flaw in Windows Desktop Window Manager (DWM) Core Library that allows a logged-in user to read sensitive information from memory that they should not have access to. An attacker with a local user account can exploit this to leak confidential data—such as encryption keys, authentication tokens, or other protected information—without crashing the system or modifying files. The vulnerability requires the attacker to already have an account on the machine; it cannot be exploited remotely.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 7 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is an out-of-bounds read vulnerability (CWE-125) in the DWM Core Library component of Windows. The flaw permits an authenticated local user to read memory beyond the intended bounds of a data structure or buffer, disclosing information that resides in adjacent memory regions. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates low attack complexity, local-only attack surface, low privilege requirements, no user interaction needed, and high confidentiality impact with no integrity or availability impact. The vulnerability does not lead to privilege escalation or denial of service, but the confidentiality breach can be severe depending on what data resides in memory at exploit time.
Business impact
Organizations should assess whether sensitive workloads run on affected Windows systems with untrusted local users. If development environments, shared lab machines, or multi-tenant systems are exposed, adversaries or disgruntled employees could extract credentials, API keys, proprietary algorithms, or customer data from RAM. The risk is elevated in environments where local account creation is dynamic or contractor/temp access is common. However, the requirement for pre-existing local access limits the attack scope; this is not a worm vector and does not enable network-based compromise.
Affected systems
This vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025. Verify your installed Windows 11 build against the release history and check your Server 2025 deployment status. Organizations running earlier Windows 11 versions (21H2, 22H2, 23H2) may not be affected, but consult Microsoft's advisory for definitive coverage.
Exploitability
Exploitation requires local system access with a standard user account—no administrator privileges are needed. Attack complexity is low, meaning a straightforward, reliable method to trigger the out-of-bounds read exists. The vulnerability does not require user interaction. However, practical exploitation depends on memory layout and the specific data an attacker seeks; some exploits may require timing or repeated attempts. Public exploit code is not yet known to be in the wild, and the vulnerability is not tracked in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Apply security updates from Microsoft as soon as they become available for your Windows 11 and Server 2025 instances. Verify patch status through Windows Update or WSUS. In the interim, restrict local account creation and audit existing local user accounts to remove unnecessary access. Implement multi-factor authentication and monitor for unusual memory-access patterns or suspicious process behavior via endpoint detection and response (EDR) tools.
Patch guidance
Monitor Microsoft's monthly Patch Tuesday releases and security advisories for updates addressing CVE-2026-48566. Test patches in a non-production environment first, particularly in large deployments. Organizations with stringent change-control windows should prioritize this for the next maintenance cycle, given the moderate CVSS score and the requirement for local access. Verify patch installation using Windows Update history or WSUS reporting.
Detection guidance
Look for unexpected process activity targeting memory regions of critical processes (lsass, svchost, etc.) or memory-scanning tools executed by non-admin users. EDR solutions capable of monitoring system calls related to memory access (OpenProcess, ReadProcessMemory) can flag suspicious patterns. Review local user logon events and process creation logs for correlation with data exfiltration or unauthorized credential use. Baseline normal memory-access behavior to surface anomalies.
Why prioritize this
While the CVSS score of 5.5 (MEDIUM) is not critical, the high confidentiality impact and low barrier to exploitation by any local user warrants prompt attention. Organizations should prioritize this ahead of vulnerabilities affecting lower-impact systems, but below critical or high-severity flaws. The lack of KEV status suggests limited in-the-wild exploitation to date, but that should not delay patching in environments with sensitive data or multi-user access patterns.
Risk score, explained
The score reflects high confidentiality risk (information disclosure from memory) offset by the mandatory local-access prerequisite. Attack complexity and privileges required are both low, elevating the practical exploitability. Integrity and availability are unaffected, which prevents a higher severity rating. For organizations with strong local access controls and encrypted data at rest, the risk may be lower; for those with shared systems or loose account management, it rises.
Frequently asked questions
Do I need administrator rights to exploit this vulnerability?
No. An attacker can exploit CVE-2026-48566 with a standard user account. This makes it a significant risk in multi-user environments or systems where contractor or temporary accounts are provisioned.
Is this vulnerability being exploited in the wild?
As of the publication date (June 2026), this flaw is not listed in CISA's Known Exploited Vulnerabilities catalog and no public exploit code is confirmed to be circulating. However, organizations should not treat this as a low priority; proactive patching remains essential.
Which Windows 11 versions are unaffected?
Check your Windows 11 build number. Versions 24H2, 25H2, and 26H1 are confirmed affected. Older releases (21H2, 22H2, 23H2) may be safe, but consult Microsoft's official advisory to confirm. All Windows Server 2025 deployments are affected.
Can this vulnerability be exploited over the network?
No. The attack vector is local-only (AV:L). An attacker must have an active local user session or account on the affected machine. Network-based exploitation is not possible.
This analysis is based on publicly available information as of June 2026. Patch availability, affected build numbers, and exploitation status may change. Organizations should verify all version numbers and patch guidance against Microsoft's official security advisories and their own environment configurations. This information is provided for risk assessment and operational decision-making; it does not constitute legal or compliance advice. Always test patches in non-production environments before broad deployment. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11005MEDIUMOut-of-Bounds Read in Chrome ANGLE on Windows
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11075MEDIUMOut-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11096MEDIUMChrome WebRTC Out-of-Bounds Read
- CVE-2026-11183MEDIUMChrome GWP-ASan Memory Disclosure – Patch Guidance