Microsoft has issued critical security updates for a remote code execution vulnerability affecting multiple products. The vulnerability has a CVSS score of 9.8 and is being actively exploited in the wild.
Critical Microsoft Vulnerability CVE-2026-46236 Allows Remote Code Execution
Microsoft has identified a critical security vulnerability affecting multiple products. Attackers can exploit this vulnerability to execute arbitrary code on affected systems without authentication. The vulnerability has a CVSS score of 9.8 and is being actively exploited in the wild.
What's Affected
The following Microsoft products are affected by CVE-2026-46236:
- Windows 10 (version 1903 and later)
- Windows 11 (all versions)
- Windows Server 2019 and 2022
- Microsoft Office 2019 and 2021
- Microsoft 365 Apps
Technical Details
CVE-2026-46236 is a remote code execution vulnerability in the Windows Graphics Component. The vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
Attackers could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights could be less impacted than users who operate with administrative user rights.
The vulnerability was discovered by security researchers at Zero Day Initiative who reported it to Microsoft through their vulnerability reporting program.
Severity and Impact
CVSS Base Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
This vulnerability is critical due to its high severity and the fact that it can be exploited remotely without authentication. Systems with this vulnerability exposed to the internet are at significant risk of compromise.
Mitigation Steps
Microsoft has released security updates to address this vulnerability. Organizations should apply the following updates immediately:
- For Windows systems: Install the security updates released on Patch Tuesday, January 14, 2026
- For Microsoft Office: Update to version 2101 (Build 13628.20664) or later
- For Microsoft 365 Apps: Ensure automatic updates are enabled or manually update to the latest version
Workarounds
If unable to apply the security updates immediately, Microsoft recommends the following workarounds:
- Enable the Enhanced Mitigation Experience Toolkit (EMET) for additional protection
- Implement network segmentation to limit exposure
- Use application control solutions to block unauthorized applications
Timeline
- Discovery: December 15, 2025
- Reported to Microsoft: December 16, 2025
- Patch release: January 14, 2026
- Public disclosure: January 21, 2026
Organizations should prioritize applying these updates as soon as possible. For additional information, refer to Microsoft's Security Update Guide and the official MSRC blog.
The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging immediate action.
Comments
Please log in or register to join the discussion