CVE-2026-50380 – Windows GDI+ Remote Code Execution Vulnerability
“One malicious image can become the doorway to a full system compromise when trusted graphics components fail.”
A heap-based buffer overflow vulnerability in Windows GDI+ allows an unauthorized attacker to execute arbitrary code when a user opens or processes a specially crafted EMF+ file. The vulnerability is triggered during the rendering of a malicious image record, resulting in memory corruption. Because Windows GDI+ is widely used to process graphics across Windows applications, successful exploitation could lead to complete system compromise.
CVSS Score: 9.6
SEVERITY: Critical
THREAT:
This vulnerability affects the Windows GDI+ graphics component responsible for rendering image content. A successful attack could allow an attacker to execute arbitrary code on a target system after convincing a user to open or process a malicious EMF+ file. Successful exploitation could provide control over the affected system and enable further malicious activity.
EXPLOITS:
The vulnerability was not publicly disclosed and was not known to be exploited at the time of publication. Microsoft rates exploitation as Exploitation Less Likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and there is no confirmation of publicly available proof-of-concept (PoC) exploit code.
TECHNICAL SUMMARY:
The vulnerability is caused by a heap-based buffer overflow (CWE-122) in Windows GDI+. According to Microsoft’s advisory, an attacker can craft a malicious EMF+ file containing a specially designed image record. When the file is opened or otherwise rendered, Windows GDI+ may write beyond the bounds of allocated memory, causing memory corruption that can lead to arbitrary code execution. The CVSS v3.1 metrics indicate a network attack vector, low attack complexity, no privileges required, user interaction required, and Scope: Changed, reflecting the potential to impact resources beyond the vulnerable component.
EXPLOITABILITY:
Affected products include Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including affected Server Core installations where listed. Exploitation requires a user to open or otherwise process a specially crafted EMF+ file.
BUSINESS IMPACT:
Successful exploitation could allow attackers to compromise user workstations or servers through malicious image files delivered by email, websites, or shared documents. A compromised system could expose sensitive information, enable malware deployment, facilitate lateral movement, and disrupt business operations.
WORKAROUND:
No mitigations or workarounds are available.
URGENCY:
This vulnerability should be prioritized because it carries a Critical severity rating with a CVSS v3.1 Base Score of 9.6. Although user interaction is required, exploitation requires no privileges, targets a widely used graphics component, and can result in complete system compromise once a malicious file is processed.
Key Details
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- CWE Classification
- CWE-122