CVE-2026-56189 – Microsoft Windows Media Foundation Remote Code Execution Vulnerability

CVSS 7.8 IMPORTANT Critical or Zero Day – Immediate Deployment

“A single malicious media file can become the doorway to a complete system compromise if vulnerable media components are left unpatched.”

A heap-based buffer overflow vulnerability in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally. Exploitation requires user interaction, such as opening specially crafted media content, but does not require attacker privileges. Successful exploitation could allow an attacker to gain the same rights as the current user and compromise the confidentiality, integrity, and availability of the affected system.

CVSS Score: 7.8

SEVERITY: Critical

THREAT:
This vulnerability affects Microsoft Windows Media Foundation and can allow arbitrary code execution when the vulnerable component processes specially crafted media content. A successful attack could enable malware installation, data theft, credential compromise, or further lateral movement within an environment.

EXPLOITS:
The vulnerability was not publicly disclosed at the time of publication. Microsoft assesses exploitation as less likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and there is no confirmation of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by a heap-based buffer overflow (CWE-122) in Microsoft Windows Media Foundation. Improper memory handling while processing specially crafted media content can corrupt heap memory, allowing arbitrary code execution. The vulnerability has a local attack vector, requires low attack complexity, no privileges, and user interaction. Successful exploitation can result in high impact to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include supported editions of Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including affected Server Core installations. Exploitation requires a user to open or otherwise interact with specially crafted malicious media content.

BUSINESS IMPACT:
Because Windows Media Foundation is widely used to process multimedia content across Windows devices and servers, successful exploitation could allow attackers to execute malicious code, steal sensitive business information, disrupt operations, and establish persistence within enterprise environments.

WORKAROUND:
No mitigations or workarounds are available.

URGENCY:
This vulnerability should be prioritized because it is rated Critical with a CVSS v3.1 Base Score of 7.8. Although user interaction is required, successful exploitation results in arbitrary code execution with high impact to confidentiality, integrity, and availability.

Key Details

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
CWE Classification
CWE-122
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.