Microsoft has disclosed CVE-2026-50380, a critical heap-based buffer overflow in Windows GDI+ that lets an unauthorized attacker execute code over a network, scoring 9.6 on the CVSS 3.1 scale.
What Is It
CVE-2026-50380 is a heap-based buffer overflow (CWE-122) in Windows GDI+, the graphics component responsible for rendering images and drawing operations across Windows. According to Microsoft, the flaw allows an unauthorized attacker to execute code over a network. It carries a CVSS 3.1 base score of 9.6 (Critical) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, network-reachable, low attack complexity, no privileges required, but requiring user interaction. The scope is marked as changed, and confidentiality, integrity, and availability impacts are all rated high.
Why It Matters
A 9.6 score reflects a serious risk: an attacker needs no prior privileges and can reach the target over a network. The only barrier is user interaction, meaning a victim would likely need to open or view a malicious file or image that triggers the GDI+ rendering path. Because the scope is changed, successful exploitation can affect resources beyond the vulnerable component. Full compromise of confidentiality, integrity, and availability puts affected systems at risk of complete takeover.
What's Vulnerable
The vulnerability affects a broad range of Microsoft Windows client and server releases, including:
- Windows 10 (Versions 1607, 1809, 21H2, 22H2)
- Windows 11 (Versions 24H2, 25H2, 26H1)
- Windows Server 2012 and 2012 R2 (including Server Core installations)
- Windows Server 2016, 2019, 2022, and 2025 (including Server Core installations)
Both 32-bit, x64-based, and ARM64-based systems are affected depending on the release.
Patch Status
Microsoft published this CVE on July 14, 2026, with fixed builds available per affected product. Because Windows 11 24H2 and Windows Server 2025 share the same 26100 build base, both are fixed in build 10.0.26100.8875. The NVD record lists the vulnerability status as "Awaiting Analysis." No CISA KEV entry was supplied, so active exploitation is not confirmed in this source material. Administrators should apply the relevant Microsoft security update for their Windows version.