The vulnerability arises from an untrusted search path within the Windows Graphics Device Interface (GDI) subsystem. When a GDI function loads a shared library, it follows the system’s search order, which is susceptible to manipulation by an attacker with local user access. The flaw permits the execution of arbitrary code from a user‑chosen location, representing a local code execution vulnerability classified as CWE‑426—Untrusted Search Path. This can lead to full system compromise if an attacker runs malicious binaries with the rights of the user who initiates the GDI request.

The affected products are Microsoft Windows 10 (builds 1607, 1809, 21H2, 22H2) and Microsoft Windows 11 (versions 23H2, 24H2, 25H2, 22H3, 26H1). It also impacts Microsoft Windows Server editions from 2012 through 2025, including the Server Core configurations of 2012, 2012 R2, 2016, 2019, 2022, and 2025. These operating systems run on both x86, x64, and ARM64 architectures as noted in the CPE listing.

With a CVSS base score of 7.8 the vulnerability is considered high impact, yet the EPSS score of less than 1 % indicates that real‑world exploitation is currently scarce. The vulnerability is not listed in the CISA KEV catalogue. Based on the description, it is inferred that an attacker would place a malicious DLL or other executable in a directory that appears earlier in the GDI search path, causing the system to load and execute the attacker‑controlled code. Successful exploitation requires local user privileges or the ability to influence a GDI request, but once achieved, it yields code execution with the same privileges as the requesting process, potentially allowing further privilege escalation. Therefore, the risk remains significant until the vendor’s security update is applied.