SB2026031073 - Multiple vulnerabilities in Microsoft Windows Graphics Component

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2026-23668)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in Windows Graphics Component. A local user can exploit the race and escalate privileges on the system.

2) Out-of-bounds read (CVE-ID: CVE-2026-25180)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in Windows Graphics Component. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.

3) NULL pointer dereference (CVE-ID: CVE-2026-25168)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in Windows Graphics Component. A local attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

4) Division by zero (CVE-ID: CVE-2026-25169)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the divide-by-zero issue in Windows Graphics Component. A local attacker can cause a denial of service condition on the target system.

Remediation

Install update from vendor's website.

References

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23668
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25180
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25168
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25169