Description
Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
Published: 2026-06-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow or wraparound in the Windows Win32K graphics component (GRFX). An unprivileged attacker can use this flaw to execute arbitrary code on the target system. The issue is catalogued as CWE‑190 and can lead to full compromise of the affected machine without external network access.

Affected Systems

Affected products include Microsoft Office for Android applications—Excel, PowerPoint, and Word. Windows 10 releases 1607, 1809, 21H2, and 22H2, Windows 11 releases 23H2, 24H2, 25H2, and 26H1, and Windows Server releases from 2012 through 2025 are also impacted. No specific version subset is listed, indicating all versions of those products are vulnerable.

Risk and Exploitability

The CVSS score of 7.8 marks the flaw as high severity with potential for full system compromise. Although the EPSS score is not available, the flaw is not listed in the CISA KEV catalog. Exploitation requires local access; an attacker must supply crafted graphics input that triggers the overflow, likely during normal user interaction with Office files or graphical content on the device.

Generated by OpenCVE AI on June 9, 2026 at 18:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update for Windows 10, 11, and Windows Server from the Microsoft Update Catalog or Windows Update
  • Update Microsoft Office for Android (Excel, PowerPoint, Word) to the most recent version available through the Google Play Store
  • If an update cannot be applied immediately, restrict use of affected graphics features by disabling GPU acceleration or configuring device policies to block execution of untrusted graphical content

Generated by OpenCVE AI on June 9, 2026 at 18:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012 (server Core Installation)
Microsoft windows Server 2012 R2
Microsoft windows Server 2012 R2 (server Core Installation)
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012 (server Core Installation)
Microsoft windows Server 2012 R2
Microsoft windows Server 2012 R2 (server Core Installation)
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
Title Windows Graphics Component Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft excel
Microsoft powerpoint
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft word
Weaknesses CWE-190
CPEs cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft excel
Microsoft powerpoint
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft word
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Excel Powerpoint Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows 11 26h1 Windows 11 26h1 Windows Server 2012 Windows Server 2012 (server Core Installation) Windows Server 2012 R2 Windows Server 2012 R2 Windows Server 2012 R2 (server Core Installation) Windows Server 2016 Windows Server 2016 (server Core Installation) Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2025 Windows Server 2025 (server Core Installation) Word
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T10:09:20.076Z

Reserved: 2026-05-07T20:07:18.270Z

Link: CVE-2026-44803

cve-icon Vulnrichment

Updated: 2026-06-10T10:09:14.923Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:16.163

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-44803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:00:14Z

Weaknesses