Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local authenticated code execution with no user interaction elevates to SYSTEM, so AV:L, PR:L, AC:L, UI:N with full C/I/A impact and unchanged scope.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Stack-based buffer overflow in Windows GDI allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege elevation in the Windows Graphics Device Interface (GDI) component allows an already-authenticated, low-privileged user to run code at a higher privilege level by triggering a stack-based buffer overflow (CWE-121). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already be authenticated on the target with low privileges and to be able to execute code locally (CVSS AV:L, PR:L), so this cannot be triggered remotely or by an unauthenticated actor - an initial foothold on the host is a hard prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8 High) describes a local, low-complexity attack requiring existing low-level privileges and no user interaction, with high confidentiality, integrity and availability impact - a classic local privilege-escalation profile rather than a remotely reachable flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already gained a low-privileged foothold on a Windows host - for example through phishing, a compromised low-privilege service account, or an unprivileged local user - runs a crafted program that feeds malformed graphics data to GDI, triggering the stack-based buffer overflow. With no user interaction required and low attack complexity, the overflow corrupts kernel-mode stack memory to hijack execution and elevate to SYSTEM. … |
| Remediation | Apply the Microsoft security update for CVE-2026-50387 as documented in the vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50387 (Patch available per vendor advisory); install the cumulative update corresponding to each affected Windows 10, Windows 11, and Windows Server build, including Server Core installations, since GDI is a core OS component and no product-level feature toggle exists to disable it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Windows 10 (versions 1607-22H2), Windows 11 (versions 24H2, 25H2, 26H1), and Windows Server 2012-2025 systems in your environment, prioritizing domain controllers, file servers, and privileged access workstations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Microsoft Office 365 For Mac
View allLocal code execution in Microsoft Word (and Office/SharePoint components that render Word content) stems from an integer
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and the macOS editions) arises
Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-bas
Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for M
Local arbitrary code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and O
Arbitrary code execution in Microsoft PowerPoint (and the broader Microsoft Office/365 suite on Windows and macOS) arise
Local code execution in Microsoft Office PowerPoint (including Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, a
Local code execution in Microsoft Office PowerPoint (CWE-122 heap-based buffer overflow) lets an unauthorized attacker r
Local code execution in Microsoft Word (and the wider Microsoft Office / Microsoft 365 Apps family) lets an unauthorized
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and Office for Mac 2021/2024)
Local code execution in Microsoft Office Word (CWE-416 use-after-free) allows an unauthorized attacker to run arbitrary
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43932
GHSA-9q2r-53gw-xr3v