This vulnerability exposes sensitive information to an authorized local attacker through the Tablet Windows User Interface (TWINUI) subsystem. The flaw allows a user with legitimate system access to read data that should have been protected, potentially revealing confidential user data or system configuration. The weakness aligns with CWE‑200, representing an information‑disclosure flaw that compromises confidentiality when local access is available.

Affected Windows operating systems include Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2; Microsoft Windows 11 versions 23H2, 24H2, 25H2, and 22H3; and all Windows Server editions 2016, 2019, 2022, 2025, and the 23H2 Server Core edition. These affected builds are listed explicitly by the CNA and encompass both full installations and Server Core variants.

The CVSS v3.1 score of 5.5 indicates medium severity, mainly due to a local read‑only impact. The reported exploitation probability is below 1%, indicating a very low likelihood of real‑world attacks, and the vulnerability is not listed in the KEV catalog, so no large‑scale attacks have been observed. The description suggests the attack vector is local: an authenticated user may trigger the disclosure by interacting with TWINUI. Consequently, the overall risk to an organization is moderate; however, prompt remediation is advisable to prevent any potential data leakage.