Introduction
A heap based buffer overflow in the Windows Application Identity (AppID) Subsystem, patched in Microsoft's May 2026 update cycle, gives any locally authenticated user a path to SYSTEM level privileges with low attack complexity and no user interaction required. Given that the AppID subsystem is the enforcement backbone for AppLocker policies across Windows client and server deployments, the scope of affected environments is substantial.
Technical Information
Root Cause
CVE-2026-34343 is classified under CWE-122 (Heap-based Buffer Overflow). The flaw resides in the Windows Application Identity Subsystem, specifically within a function that has not been publicly identified by Microsoft. A heap overflow condition occurs when a buffer allocated in the heap portion of memory is written beyond its intended bounds. In this case, the overflow allows corruption of adjacent heap metadata or objects, which can be leveraged to redirect execution flow.
The AppID subsystem is responsible for determining and verifying the identity of applications on a Windows host. It is a core component that underpins AppLocker policy enforcement. Because this subsystem operates with elevated privileges by design, corrupting its heap state provides a direct path to privilege escalation.
Attack Vector and Exploitation Flow
The attack vector is local. An attacker must already have authenticated access to the target system, but from that starting point, the exploitation path is straightforward:
- The attacker, operating as a standard authenticated user, triggers the vulnerable code path in the AppID subsystem by providing crafted input that causes the heap based buffer overflow.
- The overflow corrupts heap memory in the context of the AppID service process, which runs with elevated privileges.
- By carefully controlling the overflow data, the attacker can manipulate heap structures to gain arbitrary code execution within the privileged process context.
- The attacker escalates from their standard user session to SYSTEM level access, gaining full control over the affected host.
The attack complexity is rated low, and no user interaction is required. The CVSS Base Score is 7.8 with a Temporal Score of 6.8. The impact on confidentiality, integrity, and availability is rated high across all three dimensions.
Why This Matters Operationally
The Application Identity service is not something administrators can simply disable as a defensive measure. Stopping this service prevents AppLocker policies from being enforced, which would severely degrade the security posture of the environment. This means the vulnerable component must remain running until the patch is applied, leaving a window of exposure that cannot be mitigated through service configuration alone.
Patch Information
Microsoft has released an official patch for CVE-2026-34343 as part of the May 12, 2026 Patch Tuesday cycle. The MSRC advisory confirms a Remediation Level of "Official Fix," meaning a complete vendor solution is available. Because the AppID subsystem is a closed source Windows component, no public source level diff or commit is available. The fix is delivered exclusively through cumulative security updates distributed via Windows Update and the Microsoft Update Catalog.
Below is a breakdown of the relevant Knowledge Base articles organized by product family:
| Product Family | KB Article(s) | Build Number(s) |
|---|---|---|
| Windows 11 24H2 / 25H2 (x64 and ARM64) | KB5089549 (Security Update), KB5089466 (Hotpatch) | 10.0.26100.8457 / 10.0.26100.8390, 10.0.26200.8457 / 10.0.26200.8390 |
| Windows 11 26H1 (x64 and ARM64) | KB5089548 | 10.0.28000.2113 |
| Windows 11 23H2 (x64 and ARM64) | KB5087420 | 10.0.22631.7079 |
| Windows 10 21H2 / 22H2 (x64, ARM64, 32 bit) | KB5087544 | 10.0.19044.7291 / 10.0.19045.7291 |
| Windows 10 1809 / Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 10 1607 / Server 2016 | KB5087537 | 10.0.14393.9140 |
| Windows Server 2025 (incl. Server Core) | KB5087539 (Security Update), KB5087423 (Hotpatch) | 10.0.26100.32860 / 10.0.26100.32772 |
| Windows Server 2022 (incl. 23H2 and Server Core) | KB5087545 / KB5087541 (Security Update), KB5087424 (Hotpatch for 2022) | 10.0.20348.5139 / 10.0.25398.2330 |
| Windows Server 2012 R2 | KB5087471 (Monthly Rollup) | 6.3.9600.23181 |
| Windows Server 2012 | KB5087470 (Monthly Rollup) | 6.2.9200.26079 |
A noteworthy detail: for the latest platforms (Windows 11 24H2/25H2, Windows Server 2025, and Windows Server 2022), Microsoft provides a hotpatch option alongside the traditional cumulative update. Hotpatching applies critical fixes in memory without requiring a reboot, which is particularly valuable for servers that need to maintain high availability. For all other platforms, the standard cumulative security update applies and a restart will be needed.
All 31 affected product and platform combinations listed in the MSRC advisory carry a Customer Action Required status set to "Required," meaning administrators must actively ensure these updates are deployed. The updates are available now through Windows Update, WSUS, and the Microsoft Update Catalog.
Affected Systems and Versions
The vulnerability impacts a broad range of Windows client and server products:
Windows Client:
- Windows 11 Version 26H1 (x64 and ARM64)
- Windows 11 Version 24H2 / 25H2 (x64 and ARM64)
- Windows 11 Version 23H2 (x64 and ARM64)
- Windows 10 Version 21H2 / 22H2 (x64, ARM64, 32 bit)
- Windows 10 Version 1809
- Windows 10 Version 1607
Windows Server:
- Windows Server 2025 (including Server Core)
- Windows Server 2022 (including 23H2 and Server Core)
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
Specific patched build numbers are listed in the Patch Information section above. Any system running a build prior to the listed patched version is vulnerable.
Vendor Security History
In May 2026 alone, Microsoft fixed 120 flaws during their monthly update cycle, with no zero days reported in that batch. Microsoft has been actively promoting its Secure Future Initiative, launched in November 2023 as a multiyear effort to improve how the company designs, builds, tests, and operates its products. The initiative focuses on continuous security improvement and integrating feedback from incidents into engineering standards. Despite these efforts, the high volume of monthly patches indicates that legacy code issues like heap based overflows remain a persistent challenge. The presence of a classic CWE-122 vulnerability in a core Windows subsystem in 2026 underscores that memory safety issues continue to surface even in actively maintained codebases.
References
- MSRC Advisory: CVE-2026-34343
- NVD Entry: CVE-2026-34343
- VulDB: CVE-2026-34343 Microsoft Windows Application Identity Heap Overflow
- Tenable Plugin: Windows 11 Version 26H1 Security Update (May 2026)
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Microsoft: Configure the Application Identity Service
- Microsoft Secure Future Initiative Overview
- Microsoft Trust Center: Secure Future Initiative
- Gartner: Worldwide PC Shipments Q4 2025
- Microsoft Update Catalog



