ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34343 — Windows AppID Subsystem Heap Overflow Enables Local Privilege Escalation

A short review of CVE-2026-34343, a heap-based buffer overflow in the Windows Application Identity (AppID) Subsystem that allows locally authenticated attackers to escalate privileges. Includes patch information across all affected Windows product families.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-34343 — Windows AppID Subsystem Heap Overflow Enables Local Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap based buffer overflow in the Windows Application Identity (AppID) Subsystem, patched in Microsoft's May 2026 update cycle, gives any locally authenticated user a path to SYSTEM level privileges with low attack complexity and no user interaction required. Given that the AppID subsystem is the enforcement backbone for AppLocker policies across Windows client and server deployments, the scope of affected environments is substantial.

Technical Information

Root Cause

CVE-2026-34343 is classified under CWE-122 (Heap-based Buffer Overflow). The flaw resides in the Windows Application Identity Subsystem, specifically within a function that has not been publicly identified by Microsoft. A heap overflow condition occurs when a buffer allocated in the heap portion of memory is written beyond its intended bounds. In this case, the overflow allows corruption of adjacent heap metadata or objects, which can be leveraged to redirect execution flow.

The AppID subsystem is responsible for determining and verifying the identity of applications on a Windows host. It is a core component that underpins AppLocker policy enforcement. Because this subsystem operates with elevated privileges by design, corrupting its heap state provides a direct path to privilege escalation.

Attack Vector and Exploitation Flow

The attack vector is local. An attacker must already have authenticated access to the target system, but from that starting point, the exploitation path is straightforward:

  1. The attacker, operating as a standard authenticated user, triggers the vulnerable code path in the AppID subsystem by providing crafted input that causes the heap based buffer overflow.
  2. The overflow corrupts heap memory in the context of the AppID service process, which runs with elevated privileges.
  3. By carefully controlling the overflow data, the attacker can manipulate heap structures to gain arbitrary code execution within the privileged process context.
  4. The attacker escalates from their standard user session to SYSTEM level access, gaining full control over the affected host.

The attack complexity is rated low, and no user interaction is required. The CVSS Base Score is 7.8 with a Temporal Score of 6.8. The impact on confidentiality, integrity, and availability is rated high across all three dimensions.

Why This Matters Operationally

The Application Identity service is not something administrators can simply disable as a defensive measure. Stopping this service prevents AppLocker policies from being enforced, which would severely degrade the security posture of the environment. This means the vulnerable component must remain running until the patch is applied, leaving a window of exposure that cannot be mitigated through service configuration alone.

Patch Information

Microsoft has released an official patch for CVE-2026-34343 as part of the May 12, 2026 Patch Tuesday cycle. The MSRC advisory confirms a Remediation Level of "Official Fix," meaning a complete vendor solution is available. Because the AppID subsystem is a closed source Windows component, no public source level diff or commit is available. The fix is delivered exclusively through cumulative security updates distributed via Windows Update and the Microsoft Update Catalog.

Below is a breakdown of the relevant Knowledge Base articles organized by product family:

Product FamilyKB Article(s)Build Number(s)
Windows 11 24H2 / 25H2 (x64 and ARM64)KB5089549 (Security Update), KB5089466 (Hotpatch)10.0.26100.8457 / 10.0.26100.8390, 10.0.26200.8457 / 10.0.26200.8390
Windows 11 26H1 (x64 and ARM64)KB508954810.0.28000.2113
Windows 11 23H2 (x64 and ARM64)KB508742010.0.22631.7079
Windows 10 21H2 / 22H2 (x64, ARM64, 32 bit)KB508754410.0.19044.7291 / 10.0.19045.7291
Windows 10 1809 / Server 2019KB508753810.0.17763.8755
Windows 10 1607 / Server 2016KB508753710.0.14393.9140
Windows Server 2025 (incl. Server Core)KB5087539 (Security Update), KB5087423 (Hotpatch)10.0.26100.32860 / 10.0.26100.32772
Windows Server 2022 (incl. 23H2 and Server Core)KB5087545 / KB5087541 (Security Update), KB5087424 (Hotpatch for 2022)10.0.20348.5139 / 10.0.25398.2330
Windows Server 2012 R2KB5087471 (Monthly Rollup)6.3.9600.23181
Windows Server 2012KB5087470 (Monthly Rollup)6.2.9200.26079

A noteworthy detail: for the latest platforms (Windows 11 24H2/25H2, Windows Server 2025, and Windows Server 2022), Microsoft provides a hotpatch option alongside the traditional cumulative update. Hotpatching applies critical fixes in memory without requiring a reboot, which is particularly valuable for servers that need to maintain high availability. For all other platforms, the standard cumulative security update applies and a restart will be needed.

All 31 affected product and platform combinations listed in the MSRC advisory carry a Customer Action Required status set to "Required," meaning administrators must actively ensure these updates are deployed. The updates are available now through Windows Update, WSUS, and the Microsoft Update Catalog.

Affected Systems and Versions

The vulnerability impacts a broad range of Windows client and server products:

Windows Client:

  • Windows 11 Version 26H1 (x64 and ARM64)
  • Windows 11 Version 24H2 / 25H2 (x64 and ARM64)
  • Windows 11 Version 23H2 (x64 and ARM64)
  • Windows 10 Version 21H2 / 22H2 (x64, ARM64, 32 bit)
  • Windows 10 Version 1809
  • Windows 10 Version 1607

Windows Server:

  • Windows Server 2025 (including Server Core)
  • Windows Server 2022 (including 23H2 and Server Core)
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

Specific patched build numbers are listed in the Patch Information section above. Any system running a build prior to the listed patched version is vulnerable.

Vendor Security History

In May 2026 alone, Microsoft fixed 120 flaws during their monthly update cycle, with no zero days reported in that batch. Microsoft has been actively promoting its Secure Future Initiative, launched in November 2023 as a multiyear effort to improve how the company designs, builds, tests, and operates its products. The initiative focuses on continuous security improvement and integrating feedback from incidents into engineering standards. Despite these efforts, the high volume of monthly patches indicates that legacy code issues like heap based overflows remain a persistent challenge. The presence of a classic CWE-122 vulnerability in a core Windows subsystem in 2026 underscores that memory safety issues continue to surface even in actively maintained codebases.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization