A buffer over‑read occurs in the Windows Projected File System component, allowing an attacker who already has local access to gain higher privileges on the affected machine. The vulnerability is grounded in CWE‑126, where improper bounds checking leads to reading beyond the intended memory region and can be abused to hijack control flow or inject data that changes security contexts. Because the flaw is exploitable only when the attacker has some baseline local presence, the impact is confined to systems where the attacker can execute code locally or perform privileged operations, potentially allowing full control over the machine without triggering intrusion detection systems.

Microsoft Windows 10 versions 1809, 21H2, and 22H2, Windows 11 versions 23H2, 24H2, 25H2, and 22H3, including both 64‑bit and 32‑bit builds; Windows Server 2019 and Windows Server 2022 (including Server Core and 23H2 editions); Windows Server 2025 and its Server Core installation. All listed editions are impacted regardless of architecture, as documented by Microsoft’s advisory.

The CVSS score of 7.8 classifies this flaw as high severity; the very low EPSS score (< 1 %) indicates that, as of the latest public data, exploitation is unlikely to occur widely in the wild, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is an authorized local attacker performing actions that rely on the projected file system, such as accessing mounted network shares. Given the local nature of the threat, mitigation by preventing exposure of the projected file system to untrusted sources reduces risk.