CVE-2026-34349
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-34349, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Microsoft Corporation

Description

Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft windows_media *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34349 is an information disclosure vulnerability in Windows Media. It allows an authorized attacker with local access to disclose sensitive information to an unauthorized actor.

The vulnerability is classified as an exposure of sensitive information, meaning that data that should remain private could be accessed by someone who should not have access to it.

The CVSS v3.1 score for this vulnerability is 5.5, with a vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates the attack requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), and has a high impact on confidentiality (C:H) but no impact on integrity or availability.

Impact Analysis

If you are using a system affected by CVE-2026-34349, this vulnerability could impact you in the following ways:

  • An attacker with local access to your system could exploit this vulnerability to access sensitive information stored or processed by Windows Media.
  • The disclosed information could include personal data, credentials, or other confidential material, depending on what the system handles.
  • Since the vulnerability requires local access, the risk is higher in environments where multiple users share the same system or where unauthorized individuals may gain physical or logical access.
Compliance Impact

This vulnerability could affect compliance with common standards and regulations in the following ways:

  • GDPR: If the disclosed information includes personal data of EU citizens, this vulnerability could lead to a breach of GDPR. Organizations are required to protect personal data and report breaches within 72 hours. Failure to mitigate this vulnerability could result in non-compliance and potential fines.
  • HIPAA: If the affected system handles protected health information (PHI), this vulnerability could result in unauthorized disclosure of PHI, violating HIPAA's Privacy Rule. Covered entities must implement safeguards to protect PHI, and failure to address this vulnerability could lead to penalties.
  • Other standards, such as PCI DSS, may also be impacted if the disclosed information includes payment card data. Organizations must ensure that sensitive data is protected to maintain compliance.

Since the vulnerability involves unauthorized access to sensitive information, organizations should assess whether their systems are affected and take appropriate measures to mitigate the risk to avoid compliance violations.

Detection Guidance

The provided context does not include specific detection methods or commands for identifying the vulnerability (CVE-2026-34349) on a network or system. Detection may require checking for unusual access patterns to sensitive information in Windows Media or reviewing logs for unauthorized local access by authorized users.

For precise detection steps, refer to Microsoft's official guidance or security tools that monitor local information disclosure vulnerabilities.

Mitigation Strategies

The provided context does not specify immediate mitigation steps for CVE-2026-34349. However, general steps to mitigate information disclosure vulnerabilities in Windows Media may include:

  • Apply the latest security updates from Microsoft as soon as they are available. Check the Microsoft Update Guide for patches specific to this CVE.
  • Restrict local access to sensitive information by enforcing least-privilege principles for user accounts.
  • Monitor and audit local access to sensitive data to detect unauthorized disclosure attempts.
  • Review and update group policies or security configurations related to Windows Media components.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart