CVE-2026-44803: Windows Graphics Component Remote Code Execution Vulnerability
Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 23
HarborGuard Analysis
Synopsis
An integer overflow in the Windows Graphics Component (Win32K - GRFX) allows a local attacker to execute arbitrary code on affected Windows systems. The vulnerability is reached locally and requires no authentication, but does require the victim to interact with a malicious file or content. Successful exploitation gives the attacker full code execution in the context of the affected process, with high impact to confidentiality, integrity, and availability. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows-based container images.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Windows container images derived from affected base layers.
AvailableTriage is available with CVSS v3.1 scoring at 7.8 (HIGH), weighted against each customer organization's compliance policy to determine priority routing and assignment to the appropriate team inbox.
AvailableA patched-image rebuild targeting the applicable fix versions (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417) becomes available on HarborGuard for environments running an affected base image. For customers who opt into auto-remediation, HarborGuard runs a regression test suite and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationNot required
No account or credentials are required to trigger the vulnerability; the attacker exploits it through user-mode access without prior authentication.
- Victim interactionRequired
A user on the target machine must open or interact with attacker-controlled content, such as a malicious document or graphic file, for the exploit to trigger.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond obtaining victim interaction.
Blast Radius
- The attacker executes arbitrary code in the context of the process handling the malicious graphic content.
- All data accessible to that process is readable, including files, tokens, and in-memory secrets.
- The attacker can write or modify any data the process can access, including persisted files and registry entries.
- The affected process and any dependent services can be crashed or rendered unavailable.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any customer image built on an affected Windows base layer. Where compliance policy permits, a rebuilt image pinned to the appropriate fix version (10.0.14393.9234, 10.0.17763.8880, or 10.0.19044.7417 depending on the base) becomes available for deployment. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the configured regression suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Because this vulnerability requires victim interaction via a crafted file, teams that cannot immediately apply the patched base image should consider restricting document-rendering workloads through network policy isolation or process-level sandboxing as a compensating control until the rebuild is applied.
Fix available
- Microsoft / Microsoft Excel for Android-
- Microsoft / Microsoft PowerPoint for Android-
- Microsoft / Microsoft Word for Android-
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C