Impact
The Desktop Window Manager component in several Microsoft Windows and Server products exposes sensitive data to an unauthorized local actor. The flaw permits a local attacker – for example malware running with a standard user account – to read information that should be protected by system boundaries. The impact is a loss of confidentiality for the affected machine; there is no evidence of privilege escalation, denial of service, or remote code execution.
Affected Systems
Affected systems include Microsoft Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (22H3, 23H2, 24H2, 25H2), and Windows Server editions (2012, 2012 R2, 2016, 2019, 2022, 2025, 23H2). Both x86, x64 and arm64 architectures are impacted in the releases listed. The vulnerability applies to client and server builds, including Server Core installations, as detailed by the vendor list.
Risk and Exploitability
The CVSS score of 5.5 denotes moderate severity, and an EPSS score of 5% indicates a low but non‑zero likelihood of exploitation. The vulnerability is listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker must already possess local privileges to exploit the flaw, with no remote attack vector described. Exploitation allows the disclosure of confidential data on the local system, but does not grant elevated privileges or remote access.
OpenCVE Enrichment