This vulnerability is a use‑after‑free flaw in the Inbox COM objects provided with the Microsoft Windows Software Development Kit. The flaw permits an attacker to supply malicious input that frees an object and then re‑uses the freed memory, enabling the execution of arbitrary code on the local host. The vulnerability is classified as CWE‑416 (Use After Free). Although the advisory states the code is executed locally, the CVE title and typical behavior of COM components imply that remote exploitation may be possible if the attacker can trigger the vulnerable object from a remote service or application.

The affected product is the Microsoft Windows SDK, as identified by the CNA’s product list. Specific version information is not supplied in the advisory, so administrators should verify whether their installed SDK includes the Inbox COM objects and determine if the vulnerability applies to their environment.

The CVSS score of 7 indicates moderate severity. The EPSS score is less than 1 %, implying a very low probability that active exploitation is occurring in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to obtain a privilege level that can instantiate the vulnerable COM object, typically through a local user account or a compromised application. This indicates a local or privilege‑escalation attack surface, while remote exploitation would require additional context on how Outlook or similar components interact with the SDK. Based on the description, it is inferred that the attacker must be able to run code in a context that can load or manipulate the problematic COM object.