CVE-2025-47973: 
vulnerability analysis and mitigation

A buffer over-read vulnerability in Microsoft's Virtual Hard Disk (VHDX) was identified and assigned CVE-2025-47973. The vulnerability was discovered and reported to Microsoft, with the initial disclosure date being July 8, 2025. This security flaw affects multiple versions of Microsoft Windows Server and Windows operating systems, including Windows Server 2008, 2012, 2016, 2019, 2022, and various Windows 10 and 11 versions (NVD).

The vulnerability is classified as a Buffer Over-read (CWE-126) issue. Microsoft has assigned a CVSS v3.1 base score of 7.8 (HIGH), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This scoring indicates that the vulnerability requires local access, has low attack complexity, needs no privileges, but requires user interaction. The impact potential is high across confidentiality, integrity, and availability (NVD).

The vulnerability allows an unauthorized attacker to elevate privileges locally on affected systems. This means successful exploitation could lead to an attacker gaining elevated system privileges, potentially compromising the security of the affected system (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are available for all affected versions of Windows and Windows Server, with specific version numbers varying by product. For Windows Server 2022, the update is available for versions up to (excluding) 10.0.20348.3932, while for Windows 11, updates are available for versions up to (excluding) 10.0.26100.4652 (NVD).