Microsoft disclosed CVE-2026-45594 on June 9, 2026, as part of its monthly Patch Tuesday release, an Important-rated information disclosure vulnerability in the Windows Application Identity (AppID) subsystem. A locally authenticated attacker can exploit the flaw to read sensitive information from the service's process memory without user interaction.

This CVE targets AppIDSvc, the Windows service that underpins application control features like AppLocker and Windows Defender Application Control (WDAC). The vulnerability allows an authorized user to pry into data that could expose policy configurations, internal file attributes, or other details used to enforce allow/deny rules. In the worst case, that information might be chained with other exploits to bypass application restrictions or plan a more targeted attack.

How the Windows AppID Subsystem Works

The Application Identity service runs as a protected LocalSystem process and is responsible for verifying the identity of executable files, scripts, and installers when they are launched. It checks digital signatures, file hashes, and path rules against the administrative policies defined in AppLocker or WDAC.

When an application starts, the service determines whether it fits into an allowed publisher rule or if its hash matches a whitelist. For example, you can allow only Microsoft-signed binaries to run, blocking unknown malware. AppID also interacts with SmartScreen and Microsoft Defender for Endpoint to provide rich application context for threat hunting.

Because the service handles sensitive metadata – including the full path of executables, hash data, and even partial signature chain details – any leak could give an attacker a map of how a machine is configured. This information disclosure is not a direct remote code execution risk, but an Important rating signals that confidentiality is at stake and an adversary could use the leaked data to refine a later attack.

CVE-2026-45594 Technical Details

According to the advisory, the vulnerability stems from improper handling of a crafted request that triggers an out-of-bounds read in the AppIDSvc process. A local attacker – one who already has a valid user session on the target machine – can call a specific API with malicious parameters, causing the service to return memory contents outside the expected buffer.

  • Attack Vector: Local (AV:L)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: Low (PR:L) – just a standard domain or local user account
  • User Interaction: None (UI:N)
  • Impact: Confidentiality exposure (C:H), no impact on integrity or availability
  • CVSS 3.1 Base Score: 5.5, but Microsoft rates it Important due to the high confidentiality impact and the low barrier to entry.

The vulnerability affects all supported versions of Windows 11 (including 24H2 and any interim releases) and Windows Server 2022/2025. Older OSes like Windows 10 are out of mainstream support unless covered by Extended Security Updates; customers with ESU should verify with their update catalogue.

No public proof-of-concept or exploit code accompanied the disclosure, and Microsoft’s Exploitability Index classified it as “Less Likely” to be exploited. This means even though source code analysis could reveal the bug, building a reliable exploit in practice might be nontrivial. Still, history shows that determined attackers sometimes weaponize even “Less Likely” bugs once patch analysis is published.

AppID Vulnerabilities Are Familiar Territory

This is not the first security issue inside the Application Identity service. In January 2022, Microsoft patched CVE-2022-21905, an elevation of privilege in AppID that allowed attackers to gain SYSTEM-level execution. That flaw was also local and Important, and it was later found to be exploited in the wild as part of ransomware chains.

Other CVEs have targeted AppLocker policy enforcement bypasses (CVE-2023-21545, CVE-2024-20674) or WDAC weaknesses. The recurring theme is that the subsystem sits at the intersection of code execution and security policy, making it a lucrative target. An information disclosure bug like CVE-2026-45594 might not directly grant SYSTEM, but it can give an attacker the knowledge to craft a bypass that does.

Security researchers have long warned that AppID’s deep integration with the Windows kernel and the sheer volume of data it processes make it a broad attack surface. Microsoft has hardened the service over successive releases, introducing better sandboxing and reducing its default privileges, but clearly gaps remain.

How to Patch and Protect Your Environment

Install the June 2026 Cumulative Update

The fix for CVE-2026-45594 arrives in the June 9, 2026 security-only and cumulative monthly rollups. Microsoft issued the update through all normal channels – Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog. The update corrects the out-of-bounds read by adding proper bounds checking to the vulnerable function.

Specific KB articles vary by OS version. Search for “June 2026 Security Updates” on the MSRC guide to locate your build’s number. For instance:
- Windows 11 24H2: KB5039xxx (cumulative)
- Windows Server 2025: same KB
- Windows Server 2022: KB5039yyy

Enterprise administrators should test the update in a staging environment that mimics production AppLocker/WDAC policies. The AppID service is critical for application control; a faulty rollout could block legitimate business apps if the update inadvertently changes policy evaluation.

Review and Harden Local Access

Since CVE-2026-45594 requires local logon rights, restrict interactive access to servers and workstations to only necessary users. Enforce least-privilege principles: standard users should not be local administrators unless absolutely necessary. Use Microsoft’s Local Administrator Password Solution (LAPS) to manage unique, complex passwords for local admin accounts, reducing the chance of lateral movement.

If your organization has not yet adopted Windows LAPS (the new version integrated into modern Windows builds), now is the time.

Monitor for Exploitation Attempts

While no public exploit exists yet, defenders should configure detection rules. The vulnerable API calls are typically performed via appidtel.exe or custom tools that interface with the Aaid COM object. Look for unusual usage of appidtel.exe in user-mode or unexpected AppID service errors in the System event log (Event ID 1100 series).

If you run Microsoft Defender for Endpoint, enable the “Application Identity Service Information Disclosure” detection if Microsoft publishes a corresponding analytic. Custom Sigma rules can be written to flag suspicious AppID activity, such as the service crashing repeatedly or dumping memory to a file.

Consider Application Control Alternatives

For high-security environments, a defense-in-depth approach may warrant evaluating whether AppID-dependent solutions like AppLocker can be supplemented or replaced. Windows Defender Application Control with virtualization-based security (VBS) isolates the policy engine further, potentially reducing exposure to user-mode exploits. However, WDAC also relies on AppIDSvc in some configurations, so it may not be a complete mitigation.

Third-party application whitelisting tools from vendors like Carbon Black, CrowdStrike, or Airlock Digital operate at a different layer and may not have the same attack surface, but they bring their own patching requirements.

The Bigger Picture: Patch Tuesday June 2026

CVE-2026-45594 was one of 70+ CVEs addressed in the June 2026 release. Other notable patches include a zero-day remote code execution in the Windows Print Spooler and a Hyper-V escape rated Critical. While AppID gets special attention due to its role in security policy, IT teams must prioritize based on their risk profile – if you rely heavily on AppLocker/WDAC to prevent ransomware, this CVE should jump the queue.

Microsoft’s documentation emphasizes that no workarounds exist. Disabling the Application Identity service would break application control, making it a poor workaround unless you accept the loss of those controls. A more acceptable temporary measure is to remove the “SeImpersonatePrivilege” from standard users on servers where AppID might be exploited, but that can impact legitimate services. Patching remains the definitive fix.

Seven Steps to a Secure Deployment

  1. Inventory your Windows fleet to find all machines running AppLocker or WDAC with AppIDSvc active. Servers, administrative workstations, and VDI are the highest priority.
  2. Download the appropriate June 2026 cumulative update from the Update Catalog for offline deployment in air-gapped networks.
  3. Test the update on a pilot group with identical policy sets. Run regression tests to confirm that application control still functions as expected – e.g., allowed apps launch, blocked apps are denied.
  4. Deploy via your patch management tool (ConfigMgr, Intune, WSUS) with a phased rollout: 5% of machines day one, 20% day two, full deployment by day five.
  5. Monitor for post-patch issues: increased AppID service CPU usage, event log warnings, or unexpected blocks. If problems arise, you can temporarily rollback the individual security update using DISM.
  6. Audit access controls. Review who has interactive logon rights on sensitive systems and remove unnecessary accounts.
  7. Stay informed. Subscribe to the MSRC security update guide and the Windows Health Dashboard for any known issues with the patches.

Conclusion

CVE-2026-45594 is a reminder that even services designed to enhance security can harbor their own vulnerabilities. The AppID information disclosure may not deliver a knockout blow, but it strips away a layer of defense that attackers covet. For organizations banking on application control to stop ransomware and zero-day malware, leaving this bug unpatched is an unnecessary risk.

The June 2026 Patch Tuesday fixes the coding error. Deploy it promptly, double-check your AppLocker/WDAC rules post-update, and tighten local user privileges. With those actions, you can close the door before adversaries learn how to pick the lock.