Skip to main content

Microsoft CVE-2026-26178

| EUVDEUVD-2026-22418 HIGH
Incorrect Conversion between Numeric Types (CWE-681)
2026-04-14 microsoft GHSA-whvh-93vh-g249
8.8
CVSS 3.1 · NVD
Temporal: 7.7
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.7 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:28 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22418
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 8.8

DescriptionCVE.org

Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to elevate privileges locally.

AnalysisAI

Integer size truncation in Windows Advanced Rasterization Platform (WARP) enables unauthenticated remote attackers to achieve code execution with elevated privileges across Windows 10, 11, and Server editions by persuading users to interact with malicious content. Microsoft has released security updates addressing this vulnerability across all supported Windows versions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver malicious file to user
Delivery
User opens file triggering WARP rendering
Exploit
Integer truncation in size calculation
Execution
Memory corruption in WARP buffer
Impact
Escalate privileges to system level

Vulnerability AssessmentAI

Exploitation Windows Advanced Rasterization Platform (WARP) must be active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the 8.8 CVSS score indicating critical severity, real-world exploitation risk is moderate due to the user interaction requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page containing specially formatted WebGL or Canvas rendering commands that trigger WARP processing when viewed in a browser. When a user visits the compromised site or clicks a phishing link, the browser attempts to render graphics content through WARP, causing integer truncation during buffer size calculation. …
Remediation Apply Microsoft security updates immediately to upgrade affected systems to patched builds: Windows 10 1607 to 10.0.14393.9060 or later, Windows 10 1809 to 10.0.17763.8644 or later, Windows 10 21H2 to 10.0.19044.7184 or later, Windows 10 22H2 to 10.0.19045.7184 or later, Windows 11 22H3/23H2 to 10.0.22631.6936 or later, Windows 11 24H2 to 10.0.26100.32690 or later, Windows 11 25H2 to 10.0.26200.8246 or later, Windows Server 2016 to 10.0.14393.9060 or later, Windows Server 2019 to 10.0.17763.8644 or later, Windows Server 2022 to 10.0.20348.5020 or later, Windows Server 2022 23H2 to 10.0.25398.2274 or later, and Windows Server 2025 to 10.0.26100.32690 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Windows 10, 11, and Server systems in your environment and identify current patch levels using WSUS or third-party patch management tools. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-26178 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy