Cyber Resilience

CVE-2024-26226

Medium

Published: 09 April 2024

Published
09 April 2024
Modified
08 January 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0821 92.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26226 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-26226 is an information disclosure vulnerability affecting the Windows Distributed File System (DFS) component. It carries a CVSS 3.1 base score of 6.5 and is associated with CWE-125. The flaw permits unauthorized exposure of sensitive data under the listed access conditions.

An attacker with low privileges can exploit the issue remotely over a network connection without requiring user interaction, resulting in high confidentiality impact while leaving integrity and availability unaffected.

Microsoft publishes mitigation details and patch information for the vulnerability in its Security Response Center advisory at the referenced URL. The associated EPSS score has remained flat at 0.0821 with no material increase after disclosure.

EU & UK References

Vulnerability details

Windows Distributed File System (DFS) Information Disclosure Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.6897
microsoft
windows server 2019
≤ 10.0.17763.5696
microsoft
windows server 2022
≤ 10.0.20348.2402
microsoft
windows server 2022 23h2
≤ 10.0.25398.830

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References