CVE-2026-44803 – Windows Graphics Component Remote Code Execution Vulnerability

This vulnerability is an integer overflow or wraparound issue in Windows Win32K-GRFX. It can allow an unauthorized attacker to execute code locally after a user previews or opens a specially crafted file. The issue is rated Critical and affects multiple Windows client, Windows Server, and Microsoft Office for Android products.
CVSS Score: 7.8
SEVERITY: Critical
THREAT:
An attacker can create a malicious file that triggers the flaw when processed by the Windows Graphics Component. The attack requires user interaction, such as viewing the file in Windows File Explorer Preview Pane or opening it directly. Although the attack vector is local, the attacker may be remote and use email, file sharing, or downloads to deliver the file.

EXPLOITS:
Publicly Disclosed: No.
Exploited: No.
Exploitability assessment: Exploitation More Likely.
No public exploit, zero-day exploitation, or proof-of-concept code is confirmed in the provided data.

TECHNICAL SUMMARY:
CVE-2026-44803 is caused by an integer overflow or wraparound condition, identified as CWE-190, in the Windows Win32K graphics component. When a specially crafted file is previewed or opened, the vulnerable graphics handling logic may process malformed data incorrectly. This can lead to memory corruption and allow unauthorized code execution. The CVSS v3.1 metrics show local attack vector, low attack complexity, no privileges required, and required user interaction, with high impact to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected software includes Microsoft Excel for Android, Microsoft PowerPoint for Android, Microsoft Word for Android, Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 23H2, 24H2, 25H2, and 26H1, plus Windows Server 2012 through Windows Server 2025, including listed Server Core installations. Exploitation requires the victim to preview or open a specially crafted file.

BUSINESS IMPACT:
This vulnerability is dangerous because it turns normal file handling into a possible compromise path. A successful attack could allow malware execution, data theft, system tampering, service disruption, and movement deeper into the organization. Environments with heavy email attachment usage, shared folders, or document workflows face higher exposure.

WORKAROUND:
No mitigations or workarounds are listed. If updates cannot be applied immediately, reduce exposure to untrusted files, limit previewing of unknown content where possible, and monitor for suspicious document or graphics-related activity.

URGENCY:
This patch should be deployed urgently because the vulnerability is Critical, affects many Windows and Windows Server versions, requires no attacker privileges, and is assessed as exploitation more likely. Even without confirmed active exploitation, the risk is high because a crafted file and one user action may be enough to trigger code execution.