Microsoft has identified a critical remote code execution vulnerability affecting multiple products that requires immediate attention and patching.
Microsoft has issued security guidance for CVE-2026-32249, a critical vulnerability affecting multiple Windows products. The vulnerability allows an attacker to execute arbitrary code with elevated privileges.
CVSS 9.8 severity. Exploitation likely. Patch now.
CVE-2026-32249 is a remote code execution vulnerability in the Windows Graphics Component. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights could be less impacted than users who operate with administrative user rights.
This vulnerability affects all supported versions of Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. Microsoft Edge on all supported platforms is also affected.
The vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
Attackers could exploit this vulnerability by convincing a user to open a specially crafted document or visit a malicious website. No user interaction is required in targeted attacks.
Microsoft has released security updates to address this vulnerability. Organizations should apply these updates immediately.
Affected Products:
- Windows 10 Version 21H2 for x64-based Systems
- Windows 10 Version 22H2 for x64-based Systems
- Windows 11 Version 22H2 for x64-based Systems
- Windows 11 Version 23H2 for x64-based Systems
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Microsoft Edge (Stable Channel)
Mitigation:
Apply the security updates provided by Microsoft:
If unable to patch immediately, implement the following workarounds:
- Disable the Windows Graphics Component via Group Policy
- Block access to suspicious documents and websites
- Use Microsoft Edge with Enhanced Security Configuration
For enterprise environments, deploy the updates using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager.
Timeline:
- Vulnerability discovered: January 2026
- Microsoft notified: January 2026
- Patch released: February 2026 Security Tuesday
- Exploitation observed: February 2026
Microsoft has acknowledged that limited targeted exploitation of this vulnerability has been observed. Organizations are urged to prioritize patching this vulnerability above others.
For additional information, refer to the Microsoft Security Response Center or CISA Alert AA26-012A.
Comments
Please log in or register to join the discussion