ZDI-26-294: (0Day) Microsoft Windows library-ms NTLM Response Information Disclosure Vulnerability
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must view a folder containing malicious content. The ZDI has assigned a CVSS rating of 3.5.
AI Analysis
Technical Summary
This vulnerability exists in the parsing of library-ms files on affected Microsoft Windows installations. Crafted library-ms files can cause the system to send an outgoing WebDAV request, which leaks the NTLM response associated with the current user. The attack requires the user to open or view a folder containing the malicious library-ms file, making it a user-interaction-based information disclosure vulnerability. The Zero Day Initiative assigned a CVSS score of 3.5 (AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). The vendor was notified in December 2025 but decided not to provide a security update. The advisory was publicly released in April 2026.
Potential Impact
The vulnerability allows an attacker with network adjacency and the ability to entice a user to view a malicious folder to disclose NTLM authentication response information. This could potentially aid in further attacks that leverage leaked authentication data. However, the impact is limited to information disclosure with no integrity or availability effects. The low CVSS score reflects the limited severity and the requirement for user interaction.
Mitigation Recommendations
The vendor has not issued a patch or official fix, stating the vulnerability does not meet the servicing criteria. Therefore, no official remediation is available. The primary mitigation is to restrict user interaction with untrusted or suspicious folders containing library-ms files. Users and administrators should avoid opening folders from untrusted sources that might contain crafted library-ms files to prevent exploitation.
ZDI-26-294: (0Day) Microsoft Windows library-ms NTLM Response Information Disclosure Vulnerability
Description
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must view a folder containing malicious content. The ZDI has assigned a CVSS rating of 3.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability exists in the parsing of library-ms files on affected Microsoft Windows installations. Crafted library-ms files can cause the system to send an outgoing WebDAV request, which leaks the NTLM response associated with the current user. The attack requires the user to open or view a folder containing the malicious library-ms file, making it a user-interaction-based information disclosure vulnerability. The Zero Day Initiative assigned a CVSS score of 3.5 (AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). The vendor was notified in December 2025 but decided not to provide a security update. The advisory was publicly released in April 2026.
Potential Impact
The vulnerability allows an attacker with network adjacency and the ability to entice a user to view a malicious folder to disclose NTLM authentication response information. This could potentially aid in further attacks that leverage leaked authentication data. However, the impact is limited to information disclosure with no integrity or availability effects. The low CVSS score reflects the limited severity and the requirement for user interaction.
Mitigation Recommendations
The vendor has not issued a patch or official fix, stating the vulnerability does not meet the servicing criteria. Therefore, no official remediation is available. The primary mitigation is to restrict user interaction with untrusted or suspicious folders containing library-ms files. Users and administrators should avoid opening folders from untrusted sources that might contain crafted library-ms files to prevent exploitation.
Technical Details
- Article Source
- {"url":"http://www.zerodayinitiative.com/advisories/ZDI-26-294/","fetched":true,"fetchedAt":"2026-05-26T19:57:53.912Z","wordCount":244}
Threat ID: 6a15fc93e29bf47b5055dfce
Added to database: 5/26/2026, 8:03:31 PM
Last enriched: 5/26/2026, 8:06:32 PM
Last updated: 5/26/2026, 10:23:04 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.