Skip to main content

Windows UxTheme CVE-2026-45606

| EUVDEUVD-2026-35685 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-09 secure@microsoft.com GHSA-r26c-hrj7-ghg6
5.5
CVSS 3.1 · NVD
Temporal: 4.8
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CIRCL (temporal)
4.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 19:39 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 5.5

DescriptionNVD

Out-of-bounds read in Microsoft UxTheme Library (uxtheme.dll) allows an authorized attacker to deny service locally.

AnalysisAI

Out-of-bounds read in Microsoft's UxTheme Library (uxtheme.dll) enables a locally authenticated attacker to crash the affected Windows system, resulting in denial of service. The vulnerability spans a broad swath of Windows releases - from Server 2012 through Windows 11 26H1 and Windows Server 2025 - making patch surface management critical for enterprise environments. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

uxtheme.dll is the Windows User Experience Theming library, responsible for rendering visual styles and theme elements across the Windows desktop environment. An out-of-bounds read (CWE-125) occurs when code reads memory beyond the bounds of an allocated buffer - in this case within the theme parsing or rendering logic. This class of vulnerability typically arises from missing or incorrect bounds checks on buffer indexing. While out-of-bounds reads most commonly manifest as information disclosure (reading adjacent memory contents), the CVSS vector here reflects only an availability impact (A:H, C:N, I:N), indicating the read triggers a fatal exception or memory access violation sufficient to crash the affected process or system. The tags in source intelligence mention 'Buffer Overflow' and 'Information Disclosure', which conflict with the CVSS impact scores - the CVSS vector is the more authoritative signal for confirmed impact. Affected CPE strings span Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server 2012 through 2025.

RemediationAI

The primary fix is to apply the Microsoft security update that ships uxtheme.dll at or above the patched build thresholds listed per-OS in the ENISA EUVD data. Updates should be obtained through Windows Update, WSUS, or Microsoft Update Catalog; consult https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45606 for the specific KB article corresponding to each affected OS. For Windows Server 2012 and 2012 R2, which are past end-of-support, updates are available only to organizations enrolled in Extended Security Updates (ESU); organizations not enrolled should prioritize migration. If immediate patching is not feasible, restricting local interactive and remote desktop access to only necessary personnel reduces the attack surface, since exploitation requires a local authenticated session (PR:L). Disabling theme services (UxSms) is a theoretically viable workaround but would break the Windows visual theming subsystem for all users and is not recommended for production environments without thorough testing. No additional compensating controls specific to this vulnerability have been identified in available intelligence.

Share

CVE-2026-45606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy