CVE-2026-20846 lets an unauthenticated network attacker crash affected Windows systems through a buffer over-read in Windows GDI+. Patch exposed systems now.
Impact
Microsoft has fixed CVE-2026-20846, a high-severity denial-of-service vulnerability in Windows GDI+. The flaw affects supported Windows client and server releases. The risk is service disruption. No credentials are required. No user interaction is required under the CVSS assessment.
The vulnerability is tracked in the Microsoft Security Update Guide and the NVD entry for CVE-2026-20846. NVD lists the issue as CWE-126, Buffer Over-read, with a CVSS 3.1 base score of 7.5, High. The vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Treat this as urgent for systems that process untrusted graphics, documents, image uploads, previews, thumbnails, or remote content. GDI+ is a core Windows graphics component. It is not only used by desktop apps. It can be reached through services, document pipelines, print and preview workflows, web apps running on Windows, and automation jobs that render or inspect images.
Technical Details
CVE-2026-20846 is a buffer over-read in Windows GDI+. A buffer over-read occurs when software reads past the end of an allocated memory region. That can expose memory to a process, trigger an access violation, or crash the process handling the malformed input. In this case, Microsoft and NVD classify the impact as availability loss, not confidentiality or integrity compromise.
The CVSS vector matters. AV:N means the attack can be delivered over a network. AC:L means attack complexity is low. PR:N means no privileges are required. UI:N means exploitation does not require a victim to click or open a file. A:H means the availability impact is high. The scope remains unchanged, so the failure is expected to affect the vulnerable component or process rather than cross a security boundary.
GDI+ handles 2D graphics rendering. Applications call it to draw shapes, load images, render text, create thumbnails, and convert graphical formats. A flaw in this layer can become reachable in many ways. A server-side application may accept an uploaded image and generate a preview. A document service may render embedded graphics. A workflow engine may inspect file metadata. A remote desktop or application publishing environment may process graphics as part of normal session activity.
Do not limit triage to user workstations. Servers are in scope. Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 23H2, and Windows Server 2025 appear in the NVD affected configuration data. Windows 10 and Windows 11 releases are also listed.
Affected Products
NVD lists affected Windows configurations including these products and fixed build thresholds where published in the NVD record:
| Product | Affected versions or builds |
|---|---|
| Windows Server 2012 | Listed as affected |
| Windows Server 2012 R2 | Listed as affected |
| Windows 10 version 1607, x86 and x64 | Before 10.0.14393.8868 |
| Windows Server 2016 | Before 10.0.14393.8868 |
| Windows 10 version 1809, x64 | Before 10.0.17763.8389 |
| Windows Server 2019 | Before 10.0.17763.8389 |
| Windows Server 2022 | Before 10.0.20348.4711 |
| Windows Server 2022 23H2 | Before 10.0.25398.2149 |
| Windows Server 2025 | Before 10.0.26100.32313 |
| Windows 10 version 22H2, x86, x64, and Arm64 | Before 10.0.19045.6937 |
| Windows 11 version 23H2, x64 and Arm64 | Before 10.0.22631.6649 |
| Windows 11 version 24H2, x64 and Arm64 | Before 10.0.26100.7781 |
| Windows 11 version 25H2, x64 and Arm64 | Before 10.0.26200.7781 |
Use the Microsoft advisory as the source of record for exact edition applicability, servicing channel details, and update package mapping. Confirm deployed builds with endpoint management data, PowerShell inventory, or your vulnerability scanner.
Severity
Severity is High. The CVSS 3.1 score is 7.5.
This is not listed as remote code execution in the public NVD description. It is a denial-of-service issue. That still matters. Availability failures can break business services, interrupt authentication-adjacent workflows, kill rendering services, and create repeatable outage conditions against systems that accept untrusted input.
The highest-risk systems are those that combine Windows GDI+ processing with network reachability. File upload portals are exposed. Image conversion services are exposed. Document preview services are exposed. Messaging and collaboration systems that process attachments on Windows hosts need review. Batch processing hosts that pull files from external queues also need review.
Mitigation
Install the Microsoft security update for CVE-2026-20846. Use Windows Update, WSUS, Microsoft Configuration Manager, Intune, or the Microsoft Update Catalog according to your patch process. Apply the latest cumulative update for the affected Windows release. Cumulative updates include prior security fixes.
Do this first:
- Identify Windows assets running affected client and server versions.
- Prioritize internet-facing systems and systems that process untrusted images or documents.
- Apply the February 2026 security update or any later cumulative update that supersedes it.
- Reboot where required.
- Verify the OS build is at or above the fixed threshold for that release.
- Review application logs for recurring crashes in graphics, preview, rendering, or document-processing components.
Temporary controls can reduce exposure. They do not replace patching. Restrict inbound access to services that process untrusted files. Disable public upload and preview features if they are not business-critical. Queue untrusted files for scanning on isolated workers. Limit accepted file types. Enforce size limits. Block malformed or uncommon image formats where your application does not need them. Put rendering workers behind authentication and rate limits.
Monitor for denial-of-service attempts. Look for repeated crashes in processes that call GDI+ or load gdiplus.dll. Watch web logs for repeated uploads from the same source followed by worker restarts. Alert on service crashes, application pool recycling spikes, queue backlogs, and repeated Windows Error Reporting events tied to image or document workflows.
Timeline
February 10, 2026: Microsoft published CVE-2026-20846 through the Security Update Guide. NVD received the CVE data from Microsoft on the same date.
February 11, 2026: NVD performed initial analysis and added affected configuration data, CWE-126, the Microsoft advisory reference, and the CVSS 3.1 score.
June 10, 2026: Organizations still running affected builds should treat the issue as overdue. Later cumulative updates should include the fix, but build verification is required.
Action Required
Patch now. Confirm build numbers. Do not rely on product name alone.
For Windows 11 24H2, verify systems are at least build 10.0.26100.7781. For Windows 11 23H2, verify at least 10.0.22631.6649. For Windows 10 22H2, verify at least 10.0.19045.6937. For Windows Server 2022, verify at least 10.0.20348.4711. For Windows Server 2025, verify at least 10.0.26100.32313.
Security teams should also check exceptions. Long-lived servers often miss cumulative updates because of maintenance windows, application owner delays, or unsupported operating system dependencies. Those systems are the likely weak points. Place them into an emergency patch lane or isolate their exposed processing paths until updates are installed.
CVE-2026-20846 is a service-disruption flaw in a widely deployed Windows graphics component. It is network reachable by CVSS scoring. It needs no authentication. Apply the fix and verify it.
Comments
Please log in or register to join the discussion