Microsoft has issued a critical security update addressing CVE-2026-22990, a severe vulnerability affecting multiple Windows versions that could allow remote code execution.
Microsoft has released a critical security update to address CVE-2026-22990, a severe vulnerability affecting multiple Windows operating systems. The vulnerability has been assigned a CVSS score of 9.8 out of 10, indicating critical severity.
The vulnerability affects Windows 10 version 1809 and later, Windows Server 2019 and later, and Windows 11 version 21H2 and later. Microsoft reports that the flaw could allow an attacker to execute arbitrary code with elevated privileges when a user opens a specially crafted file or visits a malicious website.
According to Microsoft's security advisory, the vulnerability exists in the Windows Graphics Component, which handles rendering of graphical content. An attacker who successfully exploits this vulnerability could gain the same user rights as the local user, potentially leading to complete system compromise.
Microsoft has released the following security updates:
- For Windows 10 version 1809 and later: KB5026372
- For Windows Server 2019 and later: KB5026373
- For Windows 11 version 21H2 and later: KB5026374
Mitigation Steps:
- Immediate Update: Apply the security updates immediately through Windows Update
- Manual Download: Updates can be downloaded from the Microsoft Update Catalog
- Verification: Verify installation using the provided KB article numbers
- Restart Required: A system restart is necessary to complete the update process
Microsoft reports no evidence of active exploitation in the wild at this time, but given the severity of the vulnerability, organizations are strongly urged to prioritize deployment of these updates.
Timeline:
- April 11, 2026: Vulnerability discovered and reported to Microsoft
- April 14, 2026: Microsoft confirmed the issue and began developing patches
- April 18, 2026: Security updates released to all supported channels
The vulnerability was responsibly disclosed through Microsoft's Security Response Center (MSRC) program. Microsoft credits the discovery to security researchers at [redacted] who followed coordinated disclosure practices.
Organizations should also review their incident response plans and ensure that affected systems are updated as quickly as possible. Microsoft recommends prioritizing systems that are internet-facing or handle sensitive data.
For additional technical details, including proof-of-concept code and detailed exploitation scenarios, security professionals can refer to the full CVE-2026-22990 entry in the National Vulnerability Database.
Related Resources:
Microsoft will continue to monitor for any signs of exploitation and may release additional guidance if necessary. Organizations running unsupported Windows versions should consider upgrading to a supported release to maintain security protections.
Comments
Please log in or register to join the discussion