Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
Out-of-bounds read in Microsoft UxTheme Library (uxtheme.dll) allows an authorized attacker to deny service locally.
AnalysisAI
Out-of-bounds read in Microsoft's UxTheme Library (uxtheme.dll) enables a locally authenticated attacker to crash the affected Windows system, resulting in denial of service. The vulnerability spans a broad swath of Windows releases - from Server 2012 through Windows 11 26H1 and Windows Server 2025 - making patch surface management critical for enterprise environments. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
uxtheme.dll is the Windows User Experience Theming library, responsible for rendering visual styles and theme elements across the Windows desktop environment. An out-of-bounds read (CWE-125) occurs when code reads memory beyond the bounds of an allocated buffer - in this case within the theme parsing or rendering logic. This class of vulnerability typically arises from missing or incorrect bounds checks on buffer indexing. While out-of-bounds reads most commonly manifest as information disclosure (reading adjacent memory contents), the CVSS vector here reflects only an availability impact (A:H, C:N, I:N), indicating the read triggers a fatal exception or memory access violation sufficient to crash the affected process or system. The tags in source intelligence mention 'Buffer Overflow' and 'Information Disclosure', which conflict with the CVSS impact scores - the CVSS vector is the more authoritative signal for confirmed impact. Affected CPE strings span Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server 2012 through 2025.
RemediationAI
The primary fix is to apply the Microsoft security update that ships uxtheme.dll at or above the patched build thresholds listed per-OS in the ENISA EUVD data. Updates should be obtained through Windows Update, WSUS, or Microsoft Update Catalog; consult https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45606 for the specific KB article corresponding to each affected OS. For Windows Server 2012 and 2012 R2, which are past end-of-support, updates are available only to organizations enrolled in Extended Security Updates (ESU); organizations not enrolled should prioritize migration. If immediate patching is not feasible, restricting local interactive and remote desktop access to only necessary personnel reduces the attack surface, since exploitation requires a local authenticated session (PR:L). Disabling theme services (UxSms) is a theoretically viable workaround but would break the Windows visual theming subsystem for all users and is not recommended for production environments without thorough testing. No additional compensating controls specific to this vulnerability have been identified in available intelligence.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35685
GHSA-r26c-hrj7-ghg6