SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-50380 2026-07-14

CVE-2026-50380: Critical Windows GDI+ Heap Overflow Enables Remote Code Execution

"Microsoft has disclosed CVE-2026-50380, a critical heap-based buffer overflow in Windows GDI+ that lets an unauthorized attacker execute code over a network, scoring 9.6 on the CVSS 3.1 scale."

Microsoft has disclosed CVE-2026-50380, a critical heap-based buffer overflow in Windows GDI+ that lets an unauthorized attacker execute code over a network, scoring 9.6 on the CVSS 3.1 scale.

What Is It

CVE-2026-50380 is a heap-based buffer overflow (CWE-122) in Windows GDI+, the graphics component responsible for rendering images and drawing operations across Windows. According to Microsoft, the flaw allows an unauthorized attacker to execute code over a network. It carries a CVSS 3.1 base score of 9.6 (Critical) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, network-reachable, low attack complexity, no privileges required, but requiring user interaction. The scope is marked as changed, and confidentiality, integrity, and availability impacts are all rated high.

Why It Matters

A 9.6 score reflects a serious risk: an attacker needs no prior privileges and can reach the target over a network. The only barrier is user interaction, meaning a victim would likely need to open or view a malicious file or image that triggers the GDI+ rendering path. Because the scope is changed, successful exploitation can affect resources beyond the vulnerable component. Full compromise of confidentiality, integrity, and availability puts affected systems at risk of complete takeover.

What's Vulnerable

The vulnerability affects a broad range of Microsoft Windows client and server releases, including:

Both 32-bit, x64-based, and ARM64-based systems are affected depending on the release.

Patch Status

Microsoft published this CVE on July 14, 2026, with fixed builds available per affected product. Because Windows 11 24H2 and Windows Server 2025 share the same 26100 build base, both are fixed in build 10.0.26100.8875. The NVD record lists the vulnerability status as "Awaiting Analysis." No CISA KEV entry was supplied, so active exploitation is not confirmed in this source material. Administrators should apply the relevant Microsoft security update for their Windows version.

Sources