ZDI 2026-04-21

ZDI-26-294: (0Day) Microsoft Windows library-ms NTLM Response Information Disclosure Vulnerability

Machine-generated analysis · WAYSCloud LLM

The vulnerability requires user interaction through viewing a folder with malicious content, which may limit exposure to network-adjacent attackers.

Context

The affected component is Microsoft Windows, specifically related to library-ms file handling. The vulnerability is an NTLM response information disclosure that can be triggered when a user views a folder containing malicious content. The advisory notes user interaction is required, indicating the attack cannot be fully remote. Worth noting the CVSS score is relatively low at 3.5, reflecting the constraints on exploitation.

Operator considerations

Check: Verify if systems process library-ms files from untrusted sources.
Log: Monitor for unexpected NTLM authentication attempts originating from user workstations.

From Zero Day Initiative ↗

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must view a folder containing malicious content. The ZDI has assigned a CVSS rating of 3.5.

Read the full advisory on ZDI →