Description
Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.
Published: 2025-12-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (local)
Action: Assess Impact
AI Analysis

Impact

The vulnerability consists of a null pointer dereference in the Windows DirectX graphics kernel that can be triggered by an authorized user, leading to a local denial of service. An attacker who is already authenticated or has authorized access can cause the system to become unresponsive or unstable without compromising data confidentiality or integrity. The impact is limited to the affected machine and is not a remote or privilege‑escalation flaw.

Affected Systems

Microsoft Windows 10 versions 21H2 and 22H2, Windows 11 versions 22H3, 23H2, 24H2, and 25H2, and Windows Server 2022 (including Server Core 23H2 Edition) and Windows Server 2025 (including Server Core).

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local authorized access and a trigger that causes the DirectX graphics kernel to dereference a null pointer, likely through specially crafted graphics input or a fault in DirectX processing. Given the local nature and need for authorized use, the attack vector is limited to privileged users or a compromised local session.

Generated by OpenCVE AI on April 20, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Microsoft security updates that include the fix for the DirectX null pointer dereference.
  • Enforce least‑privilege on user accounts and services so that only trusted applications have access to DirectX drivers.
  • Monitor for DirectX‑related system freezes or crashes and apply any available vendor workarounds until the update is installed.

Generated by OpenCVE AI on April 20, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Tue, 09 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.
Title DirectX Graphics Kernel Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-476
CPEs cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:45.704Z

Reserved: 2025-10-14T18:24:58.484Z

Link: CVE-2025-62463

cve-icon Vulnrichment

Updated: 2025-12-09T20:15:14.987Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:15:58.030

Modified: 2025-12-10T18:44:42.067

Link: CVE-2025-62463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:15:11Z

Weaknesses