CVE-2026-49796 – Windows GDI+ Remote Code Execution Vulnerability

CVSS 7.8 IMPORTANT Critical or Zero Day – Immediate Deployment

“A malicious image can become a direct path to code execution when trusted graphics components process unsafe data.”

A heap-based buffer overflow vulnerability in Windows GDI+ allows an unauthorized attacker to execute code locally. Exploitation requires user interaction, such as opening or processing specially crafted content. Successful exploitation could allow arbitrary code execution with high impact to the confidentiality, integrity, and availability of the affected system.

CVSS Score: 7.8

SEVERITY: Critical

THREAT:
This vulnerability affects Windows GDI+, a graphics component used by Windows applications to render image content. An attacker could deliver specially crafted content through email, websites, documents, or file-sharing platforms and convince a user to open or process it. Successful exploitation could allow the attacker to run malicious code with the privileges of the current user.

EXPLOITS:
The vulnerability was not publicly disclosed at the time of publication. Microsoft assesses exploitation as less likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the available information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by a heap-based buffer overflow (CWE-122) in Windows GDI+. Improper memory handling while processing crafted graphics content can write data beyond allocated memory boundaries, causing memory corruption and potentially enabling arbitrary code execution. The CVSS v3.1 metrics identify a local attack vector, low attack complexity, no privileges required, and user interaction required. Although the vulnerability is classified as Remote Code Execution, the attack itself is carried out locally after malicious content is processed on the target system.

EXPLOITABILITY:
Affected products include Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including listed Server Core installations. Exploitation requires the target user or system to process specially crafted graphics content.

BUSINESS IMPACT:
Successful exploitation could allow attackers to install malware, steal sensitive information, modify files, disrupt services, or use the compromised system as a foothold for broader attacks. Because graphics content is commonly embedded in documents, websites, and email, this vulnerability creates a practical path for social engineering and content-based attacks.

WORKAROUND:
No mitigations or workarounds are available.

URGENCY:
This vulnerability should be prioritized because it is rated Critical with a CVSS v3.1 Base Score of 7.8. Although exploitation requires user interaction, Windows GDI+ is widely used to process image content across many applications, increasing the number of possible attack paths.

Key Details

Affected Product
Microsoft Windows 10 1607
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
CWE Classification
CWE-122
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.