CVE-2026-23656: Windows App Installer Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.9)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Mar

Released

2026-03-10

EPSS Score

0.02% (percentile: 4.7%)

Description

Insufficient verification of data authenticity in Windows App Installer allows an unauthorized attacker to perform spoofing over a network.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Exploitation requires the attacker to first gain the ability to intercept or influence update‑related network communications. This depends on environment‑specific conditions and preparatory actions that are outside the attacker’s direct control, making the exploit difficult to perform reliably.

Affected Products (1)

Windows

• Windows App Client for Windows Desktop

Security Updates (1)

• Security Update

Acknowledgments

Zoltan Harmath with Microsoft

Revision History

• 2026-03-10: Information published.