CVE-2026-50382 – DirectX Graphics Kernel Remote Code Execution Vulnerability

CVSS 8.8 IMPORTANT Critical or Zero Day – Immediate Deployment

“A compromised virtual machine should never become a bridge to the host, but vulnerabilities like this can make that possible.”

An untrusted pointer dereference vulnerability in the Windows DirectX Graphics Kernel allows an authorized attacker to execute code locally. According to Microsoft, an attacker who gains access to a local guest virtual machine (VM) could exploit the flaw to attack the host operating system. Because this vulnerability crosses a virtualization boundary, successful exploitation could allow a compromise to extend beyond the guest environment.

CVSS Score: 8.8

SEVERITY: Critical

THREAT:
This vulnerability affects the Windows DirectX Graphics Kernel. An attacker with low privileges on a guest virtual machine could exploit the flaw to execute code on the host operating system. A successful attack could result in unauthorized access to host resources, system compromise, and the potential impact of other workloads running on the same host.

EXPLOITS:
The vulnerability was not publicly disclosed and was not known to be exploited at the time of publication. Microsoft rates exploitation as Exploitation Less Likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and there is no confirmation of publicly available proof-of-concept (PoC) exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by an untrusted pointer dereference (CWE-822) in the Windows DirectX Graphics Kernel. According to Microsoft’s advisory, an attacker can exploit the flaw after obtaining access to a local guest virtual machine, allowing them to attack the host operating system. The CVSS v3.1 metrics indicate a local attack vector, low attack complexity, low privileges required, no user interaction, and Scope: Changed, reflecting the potential to impact resources beyond the vulnerable component. Successful exploitation could result in high impact to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include Windows 10 versions 1809, 21H2, and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including affected Server Core installations where applicable. Exploitation requires an attacker to have low-privileged access to a local guest virtual machine before targeting the host operating system.

BUSINESS IMPACT:
Organizations using virtualization technologies face an elevated risk because successful exploitation could allow an attacker to escape the guest environment and compromise the host. This could expose multiple virtual machines, sensitive workloads, and shared infrastructure, increasing the potential impact across the environment.

WORKAROUND:
No mitigations or workarounds are available.

URGENCY:
This vulnerability should be prioritized because it carries a Critical severity rating with a CVSS v3.1 Base Score of 8.8. Although exploitation requires low privileges on a guest virtual machine, the potential to compromise the host operating system makes this a significant risk for virtualized environments.

Key Details

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-822
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.