Description
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
Published: 2026-05-12
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read in the Windows Desktop Window Manager core library enables a local attacker with authorized access to read memory contents that should be protected. This information disclosure could expose sensitive data such as credentials stored in memory or other confidential information. The vulnerability is a classic out‑of‑bounds read flaw identified as CWE‑125.

Affected Systems

Microsoft Windows 11 24H2, 25H2, and 26H1 as well as Windows Server 2025 and its server core installation are affected. The affected builds include ARM64 for the 24H2 and 25H2 releases and x64 for the 26H1 release, as specified by their CPE entries.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires local, authorized user privileges, so the threat largely depends on the privileges granted to the user. Because the vulnerability does not allow remote exploitation, the risk to unprivileged users is limited.

Generated by OpenCVE AI on May 12, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Windows update that delivers the fix for CVE‑2026‑35419 via Windows Update, WSUS, or Microsoft Update Catalog.
  • Reboot all affected machines to complete the installation.
  • After updating, configure the Desktop Window Manager service so that only administrators can run it by setting its "Log on" identity to Local System and restricting permissions through Local Security Policy.

Generated by OpenCVE AI on May 12, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
Title Windows DWM Core Library Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2025
Weaknesses CWE-125
CPEs cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2025
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 11 24h2 Windows 11 25h2 Windows 11 26h1 Windows Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:53:30.195Z

Reserved: 2026-04-02T19:21:11.804Z

Link: CVE-2026-35419

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:12.437

Modified: 2026-05-12T18:17:12.437

Link: CVE-2026-35419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:00:13Z

Weaknesses