Description
Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.
Published: 2025-12-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

A buffer over‑read in Windows Projected File System allows an authorized attacker to elevate privileges locally. The flaw is a classic CWE-126 improper bounds checking error that can be triggered when that component reads beyond the bounds of a buffer, potentially enabling privilege escalation.

Affected Systems

Affected products include Microsoft Windows 10 versions 1809, 21H2 and 22H2; Windows 11 versions 23H2, 24H2, 25H2 and 22H3; Microsoft Windows Server 2019, Windows Server 2022, Windows Server 2025 and their respective Server Core installations. All listed releases contain the vulnerable Projected File System code.

Risk and Exploitability

The CVSS score of 7.8 places the vulnerability in the high severity range, while the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in CISA KEV. The description states that the flaw allows an authorized attacker to elevate privileges locally, implying a local attack vector that requires the attacker to have some legitimate access to the system. Based on the description, it is inferred that the attacker must create or manipulate a projected file system image to trigger the buffer over‑read, but the official advisory does not detail the exact exploitation steps.

Generated by OpenCVE AI on April 20, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for CVE-2025-62462 via Windows Update or the Microsoft Security Update Guide.
  • If the Projected File System feature is not required, disable or remove it to eliminate the attack surface.
  • Restrict permissions on PFS image files so that only administrators can modify them, reducing the risk of an attacker crafting a malicious image.

Generated by OpenCVE AI on April 20, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Dec 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Tue, 09 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.
Title Windows Projected File System Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-126
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2019 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:44.908Z

Reserved: 2025-10-14T18:24:58.484Z

Link: CVE-2025-62462

cve-icon Vulnrichment

Updated: 2025-12-09T20:15:22.391Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:15:57.860

Modified: 2025-12-10T18:47:44.970

Link: CVE-2025-62462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses