Heap-based buffer overflow in Windows and Windows Server - CVE-2026-49796

 

Heap-based buffer overflow in Windows and Windows Server - CVE-2026-49796

Published: July 17, 2026


Vulnerability identifier: #VU137973
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-49796
CWE-ID: CWE-122
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Microsoft
Affected software:
Windows
Windows Server

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in Windows GDI+ when processing crafted content locally. A local user can execute crafted code on the local system to execute arbitrary code.

The issue is described as remote code execution in the title, but exploitation occurs locally.


How to mitigate CVE-2026-49796

Install security update from vendor's website.

Sources