Microsoft Addresses Critical Vulnerability CVE-2026-37457 in Security Update

Microsoft has released critical security updates to address CVE-2026-37457, a severe vulnerability affecting multiple products. The vulnerability could allow remote code execution with elevated privileges.

Impact Assessment

This vulnerability carries a CVSS score of 8.8, indicating high severity. Successful exploitation could allow an attacker to execute arbitrary code on affected systems.

Affected Products

The following Microsoft products are affected:

• Windows 10 (version 21H2 and later)
• Windows 11 (all versions)
• Microsoft Office 2019 and 2021
• Microsoft 365 Apps
• Microsoft Edge (Chromium-based)

Mitigation Steps

Microsoft recommends immediate action:

1. Apply the security updates provided in Security Update Guide
2. For systems unable to update immediately, implement the following workarounds:
   • Enable Windows Defender Application Control
   • Configure Microsoft Defender Antivirus to block the specific attack vectors

Timeline

• Discovery: October 2025
• Notification to Microsoft: October 25, 2025
• Fix Development: October 26-November 15, 2025
• Release Date: December 12, 2025
• Public Disclosure: December 19, 2025

Technical Details

The vulnerability exists in the way the Microsoft Windows Graphics Component handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

Attackers could exploit this vulnerability by convincing a user to open a specially crafted file or visit a malicious website. The vulnerability does not require authentication.

Additional Resources

For more information, see the Microsoft Security Response Center blog post and the full security advisory.

Organizations should also review the Microsoft Security Updates page for additional guidance on deployment.

Contact Information

For questions about this security update, contact Microsoft Security Response Center.