Description
Improper input validation in Microsoft Azure Attestation service and Device Health Attestation Service allows an authorized attacker to perform spoofing with a physical attack.
Published: 2026-06-09
Score: 3.9 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in Microsoft Azure Attestation Service and Device Health Attestation Service permits an authorized attacker to perform spoofing by providing malicious data during a physical attack. The flaw allows an attacker to forge attestation responses, potentially causing systems to accept counterfeit or malicious workloads as trusted. The vulnerability is categorized as CWE‑20, indicating uncontrolled input that may be used to bypass validation logic. No capability for remote exploitation is mentioned; the attacker must be authorized and have some level of local or physical access to the affected system.

Affected Systems

Microsoft Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server (2012, 2012 R2, 2016, 2019, 2022, 2025), across multiple processor architectures including x86, x64, and ARM64. The vulnerability is reported to affect both client and server editions, including Server Core installations.

Risk and Exploitability

The CVSS score of 3.9 indicates low overall severity. EPSS is not available, suggesting no data on current exploitation likelihood. The issue is not listed in the CISA KEV catalog. The likely attack vector requires an authorized attacker with local or physical access, making direct exploitation less probable in typical high‑security environments. Nonetheless, spoofing of attestation services could undermine integrity checks and enable the execution of malicious code that is mistakenly trusted by the system.

Generated by OpenCVE AI on June 9, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Confirm and install the latest Windows cumulative updates that address CVE-2026-45642, as released by Microsoft.
  • If a patch is not yet available, limit the permissions of accounts that can access Azure Attestation and Device Health Attestation services, and apply strict access controls to prevent unauthorized use.
  • Employ additional integrity validation on attestation responses, such as verifying cryptographic signatures or checksums, to detect and reject spoofed data until a vendor fix is applied.

Generated by OpenCVE AI on June 9, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper input validation in Microsoft Azure Attestation service and Device Health Attestation Service allows an authorized attacker to perform spoofing with a physical attack.
Title Microsoft Azure Attestation service and Device Health Attestation Service Spoofing Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Weaknesses CWE-20
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
References
Metrics cvssV3_1

{'score': 3.9, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 22h2 Windows 11 23h2 Windows 11 24h2 Windows 11 25h2 Windows 11 26h1 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:07.845Z

Reserved: 2026-05-12T20:33:35.156Z

Link: CVE-2026-45642

cve-icon Vulnrichment

Updated: 2026-06-09T19:42:42.652Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:31.233

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:19Z

Weaknesses