CVE-2026-45642: Microsoft Azure Attestation service and Device Health Attestation Service Spoofing Vulnerability

Overview

Severity

Low (CVSS 3.9)

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Improper input validation in Microsoft Azure Attestation service and Device Health Attestation Service allows an authorized attacker to perform spoofing with a physical attack.

FAQ

How do I protect myself from this vulnerability? Microsoft has already deployed a service-side fix for this vulnerability in Azure Attestation. No customer patching or update installation is required. To ensure you remain protected, follow the guidance below: Use the latest supported attestation policy No action is required if you are already using the current recommended policy version (1.2) for Azure Attestation. Do not rely on certain attestation events for security decisions Customers should not use the following events for security assertions in attestation policies: EV_EFI_VARIABLE_AUTHORITY EV_EFI_BOOT_SERVICES_APPLICATION These events can no longer be considered trustworthy signals for attestation evaluation. Adjust existing policies if needed If your current attestation policy relies on these events for security enforcement, update it to remove them. You may still reference these events for diagnostic or informational purposes only, but they should not be used to make trust decisions. Continue monitoring via supported claims If needed, the above events are still available in the allEvents claim. However, Microsoft does not guarantee the integrity or trustworthiness of data within these events.

Affected Products (30)

Windows

• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows Server 2025 (Server Core installation)
• Windows 11 Version 25H2 for ARM64-based Systems
• Windows 11 Version 25H2 for x64-based Systems
• Windows 11 Version 23H2 for ARM64-based Systems
• Windows 11 Version 23H2 for x64-based Systems
• Windows 11 Version 24H2 for ARM64-based Systems
• Windows 11 Version 24H2 for x64-based Systems
• Windows Server 2025
• Windows 11 version 26H1 for x64-based Systems
• Windows 11 Version 26H1 for ARM64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

ESU

• Windows 10 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (10)

• 5094123
• 5094128
• 5094127
• 5094125
• 5094126
• 5093998
• 5095051
• 5094122
• 5094042
• 5094041

Acknowledgments

<a href="https://x.com/nickeverdox/">Nick Peterson</a> with <a href="https://www.riotgames.com/">Riot Games</a>

Revision History

• 2026-06-09: Information published.