Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally.
AnalysisAI
Out-of-bounds read in Windows GDI allows local unauthenticated attackers to disclose sensitive information with user interaction. The vulnerability affects Windows 10 versions 1607, 1809, 21H2, and 22H2, all Windows 11 versions from 22H3 through 26H1, and Windows Server 2012 through 2025. No public exploit code or active exploitation has been confirmed; a vendor patch is available.
Technical ContextAI
Windows Graphics Device Interface (GDI) is a core Windows subsystem responsible for rendering graphics and managing device-independent graphics output. CWE-125 (out-of-bounds read) indicates that GDI processing logic fails to properly validate buffer boundaries before reading memory, allowing an attacker to access memory beyond intended allocation limits. This is distinct from a write-based buffer overflow; the vulnerability permits information disclosure rather than code execution. The affected versions span multiple Windows 10 release branches (1607, 1809, 21H2, 22H2), Windows 11 from launch (22H3) through current versions (26H1), and legacy/current server editions (Server 2012 R2 through Server 2025), indicating the flaw exists in shared GDI code common across all these builds.
RemediationAI
Vendor-released patch available from Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27930. Administrators should apply the cumulative security updates that increment build versions beyond the thresholds listed in the affected products section (for example, Windows 10 22H2 requires KB update to 10.0.19045.7184 or later; Windows Server 2025 requires 10.0.26100.32690 or later). Deploy via Windows Update, WSUS, or manual download from the MSRC advisory. No workarounds are available; patching is the only remediation. Prioritize systems where users interact with graphics-intensive applications or where multiple user sessions may process untrusted graphical content.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22486