Microsoft has fixed CVE-2026-33842, an Important-rated Windows File Explorer information-disclosure vulnerability, in the July 14, 2026 security updates. The flaw can allow a locally authenticated attacker to expose sensitive information without requiring another user to interact with a file or dialog.
Detailed in Microsoft’s Security Update Guide, CVE-2026-33842 carries a CVSS 3.1 base score of 5.5. Microsoft had not identified public disclosure or active exploitation when the update was released, according to the July Patch Tuesday assessment published by Trend Micro’s Zero Day Initiative.
The practical response is straightforward: install the July 2026 cumulative update applicable to each supported Windows client and server release. Administrators should not wait for a separate File Explorer package because the correction is delivered through Windows servicing.
Microsoft describes CVE-2026-33842 as an exposure of sensitive information to an unauthorized actor in Windows File Explorer. The advisory says an authorized attacker can disclose information locally, but it does not publicly identify the precise data exposed, the affected File Explorer operation, or the underlying programming error.
Its vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation requires local access and low privileges, has low attack complexity, and does not depend on user interaction.
That combination makes CVE-2026-33842 different from the familiar Explorer vulnerabilities involving a malicious archive, shortcut, preview handler, or network share that must be opened by a victim. Microsoft’s current scoring indicates that the attacker is already able to operate under an account on the machine.
Successful exploitation produces a high confidentiality impact but no direct integrity or availability impact. In other words, Microsoft is not describing a flaw that changes files, grants administrator rights, executes arbitrary code, or crashes the PC. It is a flaw that could reveal information the attacker should not be able to obtain.
This distinction matters for triage. CVE-2026-33842 is not presented as an initial-access route from the internet, but information leaks can still support a broader attack by exposing data that helps an intruder understand the system, target another account, or bypass a separate protection.
Microsoft has mapped the weakness to CWE-200, Exposure of Sensitive Information to an Unauthorized Actor. That is a broad classification rather than a technical explanation, leaving defenders without enough public detail to build a reliable behavior-based detection rule around this individual bug.
The affected-product data supplied by Microsoft covers Windows 10, Windows 11, and multiple Windows Server generations. Confirmed affected branches include Windows 10 versions 1607, 1809, 21H2, and 22H2, plus Windows 11 versions 23H2, 24H2, 25H2, and 26H1.
Server editions are also represented, including Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, as well as older Windows Server branches still receiving applicable security servicing. Organizations should therefore assess the CVE by installed operating-system build rather than assuming that systems without routine desktop use are irrelevant.
Microsoft’s affected-version records identify these corrected client build thresholds:
The broad version coverage also means patch-management reports should verify the resulting OS build, not merely record that a generic July update was approved. Devices can miss deployment because of servicing prerequisites, maintenance windows, restart deferrals, update rings, or an unsupported lifecycle state.
Alongside CVE-2026-33842, Microsoft fixed CVE-2026-40422, CVE-2026-41087, CVE-2026-50473, CVE-2026-50442, CVE-2026-50389, CVE-2026-50456, and CVE-2026-57084. Their matching severity and impact classifications do not necessarily mean that they share the same root cause or expose the same information.
Microsoft has not published enough technical detail to determine whether the eight records represent closely related variants, separate code paths found during a coordinated review, or independent reports grouped by component. Administrators should avoid assuming that a workaround for one Explorer behavior would mitigate the others.
The cluster is nevertheless useful context. CVE-2026-33842 is part of a wider set of confidentiality fixes in a component installed almost everywhere in the Windows estate, strengthening the case for treating the cumulative update as the mitigation rather than attempting to disable individual shell features.
It also arrived in an unusually large Patch Tuesday. BleepingComputer counted 570 vulnerabilities released by Microsoft on July 14, including 102 information-disclosure issues, while the Zero Day Initiative’s broader accounting included hundreds of additional Microsoft CVEs and product updates. Differences in headline totals reflect how outlets count browser fixes, previously released records, and other entries, but both assessments show an exceptional triage load for enterprise teams.
Remote Desktop Session Hosts, administrative jump servers, developer workstations, shared laboratory PCs, virtual desktop pools, and multi-user application servers deserve closer attention. On those machines, an authenticated attacker may have both an opportunity to run local code and a meaningful confidentiality boundary to cross.
Security teams should also consider CVE-2026-33842 in conjunction with privilege-escalation flaws. An information leak may supply useful system or process data, while another vulnerability provides the mechanism for obtaining higher privileges. Microsoft has not said that CVE-2026-33842 is being used in such a chain, but patching only according to isolated CVSS scores can miss that cumulative risk.
There is currently little value in searching for a public proof of concept or crafting a narrowly targeted Explorer policy. Microsoft reported no active exploitation, the Zero Day Initiative marked the vulnerability as neither public nor exploited, and the advisory does not disclose a specific trigger that administrators can disable safely.
The sensible deployment order is to prioritize exposed and heavily shared systems, validate business-critical Explorer and shell integrations in a test ring, and then move the July cumulative updates through the wider fleet. Endpoint teams should confirm successful installation and reboot completion through Intune, Windows Autopatch, Configuration Manager, Windows Server Update Services, or their third-party patch platform.
CVE-2026-33842 is principally a confidentiality problem after local access has already been obtained, but its presence across supported Windows client and server branches gives it enterprise-wide reach. Until Microsoft or the reporting researcher publishes deeper technical analysis, reaching the corrected July 2026 build remains the only dependable way to close it.
Detailed in Microsoft’s Security Update Guide, CVE-2026-33842 carries a CVSS 3.1 base score of 5.5. Microsoft had not identified public disclosure or active exploitation when the update was released, according to the July Patch Tuesday assessment published by Trend Micro’s Zero Day Initiative.
The practical response is straightforward: install the July 2026 cumulative update applicable to each supported Windows client and server release. Administrators should not wait for a separate File Explorer package because the correction is delivered through Windows servicing.
The CVSS Vector Points to a Post-Compromise Risk
Microsoft describes CVE-2026-33842 as an exposure of sensitive information to an unauthorized actor in Windows File Explorer. The advisory says an authorized attacker can disclose information locally, but it does not publicly identify the precise data exposed, the affected File Explorer operation, or the underlying programming error.Its vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation requires local access and low privileges, has low attack complexity, and does not depend on user interaction.
That combination makes CVE-2026-33842 different from the familiar Explorer vulnerabilities involving a malicious archive, shortcut, preview handler, or network share that must be opened by a victim. Microsoft’s current scoring indicates that the attacker is already able to operate under an account on the machine.
Successful exploitation produces a high confidentiality impact but no direct integrity or availability impact. In other words, Microsoft is not describing a flaw that changes files, grants administrator rights, executes arbitrary code, or crashes the PC. It is a flaw that could reveal information the attacker should not be able to obtain.
This distinction matters for triage. CVE-2026-33842 is not presented as an initial-access route from the internet, but information leaks can still support a broader attack by exposing data that helps an intruder understand the system, target another account, or bypass a separate protection.
Microsoft has mapped the weakness to CWE-200, Exposure of Sensitive Information to an Unauthorized Actor. That is a broad classification rather than a technical explanation, leaving defenders without enough public detail to build a reliable behavior-based detection rule around this individual bug.
File Explorer’s Reach Extends Beyond the Desktop
File Explorer is most visible as the Windows shell used to browse folders, copy files, mount shares, and manage storage. Its components and behaviors, however, sit across a wide range of Windows editions, including server installations where administrators may rarely launch an interactive Explorer window.The affected-product data supplied by Microsoft covers Windows 10, Windows 11, and multiple Windows Server generations. Confirmed affected branches include Windows 10 versions 1607, 1809, 21H2, and 22H2, plus Windows 11 versions 23H2, 24H2, 25H2, and 26H1.
Server editions are also represented, including Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, as well as older Windows Server branches still receiving applicable security servicing. Organizations should therefore assess the CVE by installed operating-system build rather than assuming that systems without routine desktop use are irrelevant.
Microsoft’s affected-version records identify these corrected client build thresholds:
- Windows 10 version 1607 is updated to build 14393.9339.
- Windows 10 version 1809 is updated to build 17763.9020.
- Windows 10 version 21H2 is updated to build 19044.7548.
- Windows 10 version 22H2 is updated to build 19045.7548.
- Windows 11 version 23H2 is updated to build 22631.7376.
- Windows 11 versions 24H2 and 25H2 are updated to build 26100.8875 and 26200.8875, respectively.
- Windows 11 version 26H1 is updated to build 28000.2269.
The broad version coverage also means patch-management reports should verify the resulting OS build, not merely record that a generic July update was approved. Devices can miss deployment because of servicing prerequisites, maintenance windows, restart deferrals, update rings, or an unsupported lifecycle state.
Eight Explorer Disclosures Land in One Patch Cycle
CVE-2026-33842 was not the only File Explorer information leak addressed on July 14. The Zero Day Initiative’s Patch Tuesday review lists eight Important-rated Explorer information-disclosure vulnerabilities, each with a CVSS score of 5.5 and no reported public disclosure or exploitation at release.Alongside CVE-2026-33842, Microsoft fixed CVE-2026-40422, CVE-2026-41087, CVE-2026-50473, CVE-2026-50442, CVE-2026-50389, CVE-2026-50456, and CVE-2026-57084. Their matching severity and impact classifications do not necessarily mean that they share the same root cause or expose the same information.
Microsoft has not published enough technical detail to determine whether the eight records represent closely related variants, separate code paths found during a coordinated review, or independent reports grouped by component. Administrators should avoid assuming that a workaround for one Explorer behavior would mitigate the others.
The cluster is nevertheless useful context. CVE-2026-33842 is part of a wider set of confidentiality fixes in a component installed almost everywhere in the Windows estate, strengthening the case for treating the cumulative update as the mitigation rather than attempting to disable individual shell features.
It also arrived in an unusually large Patch Tuesday. BleepingComputer counted 570 vulnerabilities released by Microsoft on July 14, including 102 information-disclosure issues, while the Zero Day Initiative’s broader accounting included hundreds of additional Microsoft CVEs and product updates. Differences in headline totals reflect how outlets count browser fixes, previously released records, and other entries, but both assessments show an exceptional triage load for enterprise teams.
Patch Priority Depends on Who Can Log On
Microsoft’s local attack vector lowers the urgency compared with an unauthenticated remote-code-execution vulnerability exposed directly to the network. It does not make the flaw harmless, particularly on shared systems where lower-privileged users and sensitive workloads coexist.Remote Desktop Session Hosts, administrative jump servers, developer workstations, shared laboratory PCs, virtual desktop pools, and multi-user application servers deserve closer attention. On those machines, an authenticated attacker may have both an opportunity to run local code and a meaningful confidentiality boundary to cross.
Security teams should also consider CVE-2026-33842 in conjunction with privilege-escalation flaws. An information leak may supply useful system or process data, while another vulnerability provides the mechanism for obtaining higher privileges. Microsoft has not said that CVE-2026-33842 is being used in such a chain, but patching only according to isolated CVSS scores can miss that cumulative risk.
There is currently little value in searching for a public proof of concept or crafting a narrowly targeted Explorer policy. Microsoft reported no active exploitation, the Zero Day Initiative marked the vulnerability as neither public nor exploited, and the advisory does not disclose a specific trigger that administrators can disable safely.
The sensible deployment order is to prioritize exposed and heavily shared systems, validate business-critical Explorer and shell integrations in a test ring, and then move the July cumulative updates through the wider fleet. Endpoint teams should confirm successful installation and reboot completion through Intune, Windows Autopatch, Configuration Manager, Windows Server Update Services, or their third-party patch platform.
CVE-2026-33842 is principally a confidentiality problem after local access has already been obtained, but its presence across supported Windows client and server branches gives it enterprise-wide reach. Until Microsoft or the reporting researcher publishes deeper technical analysis, reaching the corrected July 2026 build remains the only dependable way to close it.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com