An integer size truncation flaw exists in the Windows Advanced Rasterization Platform (WARP). This defect can allow an attacker who has local access or can supply crafted data to the rendering engine to obtain elevated privileges on the affected system. The vulnerability stems from incorrect integer handling and type conversion, as reflected in the associated CWE-190 and CWE-681 identifiers. If exploited, the attacker could execute arbitrary code with higher privileges, potentially compromising system integrity and confidentiality.

Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2; Microsoft Windows 11 versions 23H2, 24H2, 25H2, and 22H3; Microsoft Windows Server 2016 (including Server Core), 2019 (including Server Core), 2022, 2025, and the 23H2 edition. All these releases include the vulnerable WARP component as listed in the Common Platform Enumeration references.

The CVSS score of 8.8 categorizes this flaw as a high severity issue. While no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, the local context of the attack vector means that an adversary must already have some foothold on the host to deliver the exploit payload. Once the local attacker triggers the integer truncation within WARP, administrative privileges can be granted, enabling complete takeover of the system. The lack of a publicly known exploit does not reduce the need for quick remediation, as local privilege escalation opportunities are routinely leveraged by threat actors.