CVE-2025-47971: 
vulnerability analysis and mitigation

A buffer over-read vulnerability in Microsoft's Virtual Hard Disk (VHDX) was identified and assigned CVE-2025-47971. The vulnerability was discovered and reported to Microsoft, with the initial CVE record created on May 14, 2025, and subsequently published to the National Vulnerability Database (NVD) on July 8, 2025. This security flaw affects multiple versions of Microsoft Windows Server and Windows operating systems (NVD, CVE).

The vulnerability is classified as CWE-126 (Buffer Over-read) and has received a CVSS v3.1 Base Score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This scoring indicates that the vulnerability requires local access, has low attack complexity, needs no privileges, but requires user interaction. The impact potential is high across confidentiality, integrity, and availability (NVD).

The vulnerability allows an unauthorized attacker to elevate privileges locally, potentially gaining higher levels of access to the affected system. This could lead to complete compromise of system confidentiality, integrity, and availability on affected Windows systems (NVD).

Microsoft has identified affected versions of Windows Server and Windows operating systems, including Windows Server 2008 through 2025 and Windows 10/11 versions. Updates are available for all affected versions, with specific version numbers provided for each affected system. For example, Windows Server 2025 should be updated to version 10.0.26100.4652 or later (NVD).