How is CVE-2026-48574 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required. Authentication (not-required): No account or credentials are required before triggering the overflow; the attack is launched through a crafted media file without prior login. Victim interaction (required): A user on the targeted system must open or preview a malicious media file, making social engineering a prerequisite for exploitation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race condition, memory-layout knowledge, or other environmental precondition beyond getting the victim to open the file.

What is the impact of CVE-2026-48574?

The attacker executes arbitrary code in the context of the user who opened the malicious media file. All files readable by that user account are accessible, including documents, credentials cached on disk, and browser profile data. The attacker can write or overwrite files within the user's permissions, modifying application data or planting persistent malware. The affected media process can be crashed or held indefinitely, disrupting any service or workflow that depends on Windows Media processing.

Back to search

HIGHCVE-2026-48574Published 2026-06-09Modified 2026-06-10CNA microsoft

CVE-2026-48574: Windows Media Remote Code Execution Vulnerability

Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 6.2.9200.26132
Affected Products: 20

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in Windows Media allows an attacker with local access to execute arbitrary code on affected Windows systems. The vulnerability is reached locally and requires no authentication, but the attacker must convince a user to open a malicious media file. Successful exploitation gives the attacker full control over the affected process, including the ability to read, modify, or destroy data and install additional software. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows-based container images.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from Microsoft's advisory feed and upstream vulnerability databases within minutes of publication, then matched against all customer images in connected registries and CI/CD pipelines, including custom-built Windows container images. Any image containing a Windows Media component at a vulnerable version is flagged automatically, regardless of how the image was assembled.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 HIGH and weighting it against each customer organization's compliance policy to determine urgency and escalation path. Triage routing is available to direct the finding to the appropriate team inbox within each customer environment based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the applicable fix version (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, or the corresponding Windows 11 patch level) becomes available on HarborGuard once the upstream patched base layer is published. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required.
AuthenticationNot required
No account or credentials are required before triggering the overflow; the attack is launched through a crafted media file without prior login.
Victim interactionRequired
A user on the targeted system must open or preview a malicious media file, making social engineering a prerequisite for exploitation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race condition, memory-layout knowledge, or other environmental precondition beyond getting the victim to open the file.

Blast Radius

The attacker executes arbitrary code in the context of the user who opened the malicious media file.
All files readable by that user account are accessible, including documents, credentials cached on disk, and browser profile data.
The attacker can write or overwrite files within the user's permissions, modifying application data or planting persistent malware.
The affected media process can be crashed or held indefinitely, disrupting any service or workflow that depends on Windows Media processing.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for all customer environments scanning Windows-based container images, with matching occurring within minutes of CVE publication. Once Microsoft's patched base layers are available, HarborGuard can generate a rebuilt image at the appropriate fix version for each affected image in a customer's registry. For customers who opt into auto-remediation, the platform can rebuild the image, execute the configured regression test suite, and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy or organizational workflow requires manual approval, HarborGuard surfaces the finding with CVSS score, affected image list, and recommended target version so engineers can act immediately. Because user interaction is required to trigger this vulnerability, customers running Windows Media in non-interactive container workloads may treat this as lower operational priority while the patch is staged.

See how HarborGuard automates this

Fix available

6.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269

Patch commits

Windows Media Remote Code Execution Vulnerability

Affected packages

Microsoft / Windows 10 Version 1607
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows 10 Version 1809
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows 10 Version 21H2
< 10.0.19044.7417 (from 10.0.19044.0)
Microsoft / Windows 10 Version 22H2
< 10.0.19045.7417 (from 10.0.19045.0)
Microsoft / Windows 11 version 23H2
< 10.0.22631.7219 (from 10.0.22631.0)
Microsoft / Windows 11 Version 23H2
< 10.0.22631.7219 (from 10.0.22631.0)
Microsoft / Windows 11 Version 24H2
< 10.0.26100.8655 (from 10.0.26100.0)
Microsoft / Windows 11 Version 25H2
< 10.0.26200.8655 (from 10.0.26200.0)
Microsoft / Windows 11 version 26H1
< 10.0.28000.2269 (from 10.0.28000.0)
Microsoft / Windows Server 2012
< 6.2.9200.26132 (from 6.2.9200.0)
Microsoft / Windows Server 2012 (Server Core installation)
< 6.2.9200.26132 (from 6.2.9200.0)
Microsoft / Windows Server 2012 R2
< 6.3.9600.23228 (from 6.3.9600.0)
Microsoft / Windows Server 2012 R2 (Server Core installation)
< 6.3.9600.23228 (from 6.3.9600.0)
Microsoft / Windows Server 2016
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows Server 2016 (Server Core installation)
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows Server 2019
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows Server 2019 (Server Core installation)
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows Server 2022
< 10.0.20348.5256 (from 10.0.20348.0)
Microsoft / Windows Server 2025
< 10.0.26100.32995 (from 10.0.26100.0)
Microsoft / Windows Server 2025 (Server Core installation)
< 10.0.26100.32995 (from 10.0.26100.0)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

References

Windows Media Remote Code Execution Vulnerability

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available