CVE-2026-44812 – Windows Graphics Component Remote Code Execution Vulnerability

This vulnerability is an integer overflow flaw in the Windows Graphics Component (Win32K-GRFX) that can allow an attacker to execute arbitrary code on a target system. Exploitation requires a user to view a specially crafted file in Windows File Explorer Preview Pane or open the malicious file directly. Successful exploitation could give an attacker the ability to run code with significant impact to confidentiality, integrity, and availability of affected systems. The vulnerability affects a broad range of Windows desktop, server, and Microsoft Office Android products.

CVSS Score: 7.8
SEVERITY: Critical
THREAT:
The vulnerability allows remote code execution through a locally triggered attack path. An attacker can craft a malicious file designed to exploit an integer overflow condition within the Windows graphics processing components. Because user interaction is required, attackers may use phishing emails, malicious downloads, or shared files to entice victims into opening or previewing the file. Once exploited, the vulnerability can result in unauthorized code execution on the affected device.

EXPLOITS:
At the time of publication, the vulnerability was not publicly disclosed and no active exploitation was reported. Microsoft’s exploitability assessment indicates exploitation is considered more likely, but there is currently no known public exploit, proof-of-concept (PoC), or zero-day activity associated with this vulnerability.

TECHNICAL SUMMARY:
CVE-2026-44812 is caused by an integer overflow or wraparound condition (CWE-190) within the Windows Win32K Graphics subsystem. Integer overflows occur when arithmetic operations exceed the storage capacity of a variable, resulting in unexpected values that can alter program execution. By supplying specially crafted graphical content through a malicious file, an attacker may trigger memory corruption conditions that enable arbitrary code execution. The flaw affects the handling of graphics-related data and could allow attacker-controlled code to execute when the file is processed by the operating system. The impact includes potential compromise of system confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include Microsoft Excel for Android, Microsoft Word for Android, Microsoft PowerPoint for Android, Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 23H2, 24H2, 25H2, and 26H1, Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including Server Core installations where listed.
Exploitation requires a user to preview or open a specially crafted file. No privileges are required before exploitation, but user interaction is necessary.

BUSINESS IMPACT:
This vulnerability creates a significant risk because routine user actions such as opening or previewing files can trigger code execution. Successful attacks may lead to system compromise, malware deployment, unauthorized access to sensitive information, operational disruption, and potential lateral movement within enterprise environments. Organizations that rely heavily on file sharing, email attachments, or document workflows face elevated exposure. The broad range of affected Windows and server platforms increases the potential organizational impact.

WORKAROUND:
No mitigations or workarounds have been provided.
Organizations that cannot immediately deploy updates should increase monitoring of suspicious file activity, restrict unnecessary file previews where operationally feasible, and reinforce user awareness regarding untrusted attachments and downloaded content.

URGENCY:
This vulnerability affects a wide range of supported Windows and Windows Server platforms and is rated Critical. Although no active exploitation has been reported, the vulnerability enables remote code execution and requires only limited user interaction through opening or previewing a malicious file. The combination of broad exposure, high-impact outcomes, and Microsoft’s assessment that exploitation is more likely makes rapid deployment of security updates a high priority.