ThreatLevelBeta
Planned Fix

CVE-2026-35421

Remote Code Execution in Microsoft Windows GDI
Loading...

Summary

Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally.

Why Planned Fix?

3/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code in the context of the user who opens the crafted file

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker crafts a malicious EMF image and delivers it to a Windows user. When the target opens or otherwise processes the file in Microsoft Paint or another GDI-consuming application, Windows GDI mishandles heap memory and the attacker’s code can run in the victim’s user context.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Microsoft
ProductAffected Versions
Windows10 1607, 10 1809, 10 21H2, 10 22H2, 11 23H2, 11 24H2, 11 25H2, 11 26H1, Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, Server 2022 23H2, Server 2025
Description

Microsoft Windows is a desktop and server operating system used for enterprise endpoints and servers.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentWindows GDI image parsing for Enhanced Metafile (EMF) content, including processing in Microsoft Paint and other GDI-consuming apps.

Windows GDI image parsing for Enhanced Metafile (EMF) content, including processing in Microsoft Paint and other GDI-consuming apps.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Install the May 2026 Windows security update for your affected Windows release via Windows Update or the Microsoft Update Catalog.

Install the May 2026 Windows security update for your affected Windows release via Windows Update or the Microsoft Update Catalog.

msrc.microsoft.com
Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-122 Heap-based Buffer Overflow
|
NVD:CVE-2026-35421
|
Version From:
|
Version Upto:

Sources

4
SourceArticle
nvd.nist.govCVE-2026-35421 Detail
msrc.microsoft.comCVE-2026-35421 Security Update Guide
www.bleepingcomputer.comMicrosoft Patch Tuesday May 2026
www.thezdi.comThe May 2026 Security Update Review

Priority History

Planned FixLoading...

Initial analysis