Skip to main content

Microsoft CVE-2026-27930

| EUVDEUVD-2026-22486 MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-14 microsoft
5.5
CVSS 3.1 · NVD
Temporal: 4.8
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CIRCL (temporal)
4.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22486
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
MEDIUM 5.5

DescriptionCVE.org

Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally.

AnalysisAI

Out-of-bounds read in Windows GDI allows local unauthenticated attackers to disclose sensitive information with user interaction. The vulnerability affects Windows 10 versions 1607, 1809, 21H2, and 22H2, all Windows 11 versions from 22H3 through 26H1, and Windows Server 2012 through 2025. No public exploit code or active exploitation has been confirmed; a vendor patch is available.

Technical ContextAI

Windows Graphics Device Interface (GDI) is a core Windows subsystem responsible for rendering graphics and managing device-independent graphics output. CWE-125 (out-of-bounds read) indicates that GDI processing logic fails to properly validate buffer boundaries before reading memory, allowing an attacker to access memory beyond intended allocation limits. This is distinct from a write-based buffer overflow; the vulnerability permits information disclosure rather than code execution. The affected versions span multiple Windows 10 release branches (1607, 1809, 21H2, 22H2), Windows 11 from launch (22H3) through current versions (26H1), and legacy/current server editions (Server 2012 R2 through Server 2025), indicating the flaw exists in shared GDI code common across all these builds.

RemediationAI

Vendor-released patch available from Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27930. Administrators should apply the cumulative security updates that increment build versions beyond the thresholds listed in the affected products section (for example, Windows 10 22H2 requires KB update to 10.0.19045.7184 or later; Windows Server 2025 requires 10.0.26100.32690 or later). Deploy via Windows Update, WSUS, or manual download from the MSRC advisory. No workarounds are available; patching is the only remediation. Prioritize systems where users interact with graphics-intensive applications or where multiple user sessions may process untrusted graphical content.

Share

CVE-2026-27930 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy