A heap‑based buffer overflow exists in the Windows Win32K graphics subsystem (GRFX). When an authorized user triggers the flaw, the attacker can execute arbitrary code with the privileges of the logged‑on account. The vulnerability directly compromises confidentiality, integrity, and availability of the affected system because malicious code can be run locally by a user who has sufficient access rights. The weakness is a classic buffer overflow (CWE‑122).

Microsoft Windows 10 versions 1607, 1809, 21H2, 22H2 and Windows 11 versions 23H2, 24H2, 25H2, 22H3, 26H1; Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025, and 23H2 Edition (both standard and Server Core).

The CVSS score of 8.8 indicates high severity. EPSS is not available, so the exploitation probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires an attacker to be authenticated to the target machine, the attack vector is local. Exploit steps would involve creating or manipulating a Win32K graphics request so that the heap overflow is triggered, after which arbitrary code can be injected and executed under the attacker’s user context. The risk remains high for any system on which the flaw is present until the official Microsoft security update is installed.