CVE-2026-35421 – Windows GDI Remote Code Execution Vulnerability

A critical remote code execution vulnerability exists in Windows GDI due to a heap-based buffer overflow. An unauthorized attacker could exploit the flaw locally if a user opens or processes a specially crafted Enhanced Metafile file using Microsoft Paint.
CVSS Score: 7.8
SEVERITY: Critical
THREAT:
This vulnerability could allow an attacker to execute code on an affected system through malicious EMF content. Successful exploitation may lead to malware execution, data theft, workstation compromise, and further movement inside the organization.

EXPLOITS:
At the time of publication, Microsoft reports that the vulnerability was not publicly disclosed and was not exploited. Exploit Code Maturity is listed as Unproven, and exploitation is assessed as Unlikely.

TECHNICAL SUMMARY:
CVE-2026-35421 is caused by a heap-based buffer overflow in Windows GDI. The vulnerability is triggered when specially crafted Enhanced Metafile content is opened or processed using Microsoft Paint, causing the affected Windows graphics component to mishandle memory. Although the title uses “Remote Code Execution,” the CVSS attack vector is Local because the malicious file must be processed on the target machine. User interaction is required.

EXPLOITABILITY:
Affected software is Windows GDI. Exploitation requires a user to open or process a specially crafted EMF file using Microsoft Paint. No privileges are required, but user interaction is required.

BUSINESS IMPACT:
A successful exploit could compromise employee endpoints, expose sensitive files, and give attackers a foothold for broader attacks. Malicious image-based files can be delivered through email, downloads, or file shares, making user-targeted attacks a realistic concern.

WORKAROUND:
No mitigations or workarounds are listed. Apply the official Microsoft security update.

URGENCY:
This vulnerability should be prioritized because it is rated Critical and can lead to code execution through crafted graphics content. Even though exploitation is assessed as Unlikely, file-based attacks remain a common way to target users.