A use‑after‑free flaw in the Microsoft Graphics Component can be triggered by an authorized user. Exploitation allows the attacker to elevate privileges on the host, potentially enabling execution of code with higher rights. The vulnerability is classified as CWE‑416 and carries a CVSS v3 score of 7.3. Although it does not grant remote code execution, the impact is that a local attacker who can invoke the flaw gains full control over the compromised machine.

Affected systems include Windows 10 releases 1607, 1809, 21H2, and 22H2, as well as Windows 11 builds 22H3, 23H2, and 26H1. The issue also impacts Windows Server 2012, 2012 R2, 2016, 2019, and 2022 in both standard and Server Core configurations. All bit‑architectures—x86, x64, and ARM64—are affected where applicable.

The CVSS score of 7.3 indicates a high severity vulnerability. However, the EPSS score is less than 1 % and the issue is not listed in CISA’s KEV catalog, which suggests a low likelihood of active exploitation at this time. The attacker requires local authorized access; there is no disclosure of a remote or network‑based exploitation path. No public exploits have been reported, and the flaw is generally expected to be triggered by interaction with the graphics component, such as opening or rendering a malicious image file. The recommended mitigation is to apply the Microsoft security update that resolves CVE‑2026‑21235, available through Windows Update or the Microsoft Security Response Center. Until the update can be applied, administrators should limit local user privileges where possible and monitor system logs for abnormal graphics component activity.