ZeroPath at Black Hat USA 2026

Windows GDI CVE-2026-35421: Brief Summary of a Heap Buffer Overflow Leading to Local Code Execution

A brief summary of CVE-2026-35421, a heap-based buffer overflow in the Windows GDI subsystem that allows local code execution when a user opens a crafted EMF file. Patch information covering 31 product and platform combinations is included.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Windows GDI CVE-2026-35421: Brief Summary of a Heap Buffer Overflow Leading to Local Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap-based buffer overflow in the Windows GDI subsystem, patched in Microsoft's May 2026 Patch Tuesday cycle, allows an attacker to achieve local code execution simply by convincing a user to open a crafted Enhanced Metafile (EMF). With 31 distinct product and platform combinations affected, spanning from Windows Server 2012 all the way through Windows 11 26H1, the attack surface here is broad and touches virtually every supported Windows deployment in production today.

Technical Information

CVE-2026-35421 is rooted in a heap-based buffer overflow (CWE-122) within the Windows Graphics Device Interface (GDI), the core subsystem responsible for rendering graphical objects and transmitting them to output devices. The specific flaw lies in how GDI parses Enhanced Metafile (EMF) records. During metafile rendering, the component allocates a heap buffer but fails to properly validate the size of incoming record data against the buffer's boundaries. This allows a specially crafted EMF file to write past the end of the allocated buffer, corrupting adjacent heap memory.

CVSS Breakdown

The CVSS 3.1 vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, yielding a base score of 7.8.

CVSS MetricValueOperational Implication
Attack Vector (AV)LocalThe attacker requires local access to the target system to exploit the vulnerability.
Attack Complexity (AC)LowNo specialized access conditions or extenuating circumstances are required.
Privileges Required (PR)NoneThe attacker does not need prior privileges to initiate the exploit.
User Interaction (UI)RequiredA user must perform an action, such as opening a file, to trigger the vulnerability.
Scope (S)UnchangedThe vulnerability does not allow the attacker to impact resources beyond the vulnerable component's authorization scope.
Confidentiality (C)HighTotal loss of confidentiality; all resources within the impacted component can be divulged.
Integrity (I)HighTotal loss of integrity; the attacker can modify any files or data.
Availability (A)HighTotal loss of availability; the attacker can fully deny access to resources.

Because GDI runs in the context of the calling process, successful exploitation grants code execution with the privileges of the user who opened the malicious file.

Attack Flow

Based on the available source materials, the exploitation sequence proceeds as follows:

  1. The attacker crafts a malicious EMF file containing specially constructed EMF records designed to trigger the heap buffer overflow during parsing.
  2. The attacker delivers this file to the victim through a plausible channel: email attachment, file share, web download, or similar.
  3. The victim opens or previews the EMF file using any application that relies on the Windows GDI subsystem for rendering (for example, Microsoft Paint).
  4. During EMF record parsing, the GDI component allocates a heap buffer but does not properly validate the size of incoming data against the buffer boundaries.
  5. The overflow corrupts adjacent heap memory. The attacker can leverage this corruption to gain control of execution flow and run arbitrary code locally with the victim's privileges.

The "User Interaction: Required" metric is the key friction point here. Without a user actively opening or processing the crafted file, the vulnerability cannot be triggered. However, EMF files are a common and generally trusted format in enterprise environments, which lowers the social engineering barrier.

Patch Information

Microsoft shipped an official fix for CVE-2026-35421 on May 12, 2026, as part of its May 2026 Patch Tuesday release cycle. The MSRC Security Update Guide confirms a remediation level of "Official Fix," meaning a complete vendor solution is available and customer action is required.

The patch corrects the way the GDI component handles EMF record parsing, adding proper bounds checking to prevent a heap buffer from being overflowed during metafile rendering. Because this is a closed source Windows component, no public source code diff is available; the fix is delivered solely through Microsoft's binary cumulative updates.

The breadth of this patch is notable: it spans 31 distinct product and platform combinations, covering client and server Windows editions going all the way back to Windows Server 2012. Here is a summary of the relevant Knowledge Base (KB) articles organized by product family:

Product FamilyKB Article(s)Patched Build(s)
Windows 11 26H1 (x64 and ARM64)KB508954810.0.28000.2113
Windows 11 25H2 / 24H2 (x64 and ARM64)KB5089549, KB5089466 (Hotpatch)10.0.26100.8457 / 10.0.26100.8390
Windows 11 23H2 (x64 and ARM64)KB508742010.0.22631.7079
Windows 10 22H2 / 21H2 (x64, ARM64, 32 bit)KB508754410.0.19045.7291 / 10.0.19044.7291
Windows 10 1809 / Server 2019KB508753810.0.17763.8755
Windows 10 1607 / Server 2016KB508753710.0.14393.9140
Windows Server 2025KB5087539, KB5087423 (Hotpatch)10.0.26100.32860 / 10.0.26100.32772
Windows Server 2022KB5087545, KB5087424 (Hotpatch)10.0.20348.5139 / 10.0.20348.5074
Windows Server 2022 23H2KB508754110.0.25398.2330
Windows Server 2012 R2KB50874716.3.9600.23181
Windows Server 2012KB50874706.2.9200.26079

For several modern platforms (Windows 11 24H2/25H2, Server 2025, and Server 2022), Microsoft provides both a standard cumulative security update and a Security Hotpatch update. The hotpatch variant allows organizations to apply the fix without requiring a system reboot, which is particularly valuable for server workloads where downtime is costly. Both update paths fully remediate the vulnerability.

To verify that a system is patched, administrators should confirm the OS build number meets or exceeds the values listed above. Updates are available through Windows Update, WSUS, and the Microsoft Update Catalog.

No documented workarounds or alternative mitigations are available. Organizations must rely entirely on the official patch to remediate this vulnerability.

Affected Systems and Versions

Based on the patch data, the following Windows editions and versions are confirmed vulnerable (prior to applying the listed patches):

Windows Client:

  • Windows 11 26H1 (x64 and ARM64), builds prior to 10.0.28000.2113
  • Windows 11 25H2 / 24H2 (x64 and ARM64), builds prior to 10.0.26100.8457
  • Windows 11 23H2 (x64 and ARM64), builds prior to 10.0.22631.7079
  • Windows 10 22H2 (x64, ARM64, 32 bit), builds prior to 10.0.19045.7291
  • Windows 10 21H2 (x64, ARM64, 32 bit), builds prior to 10.0.19044.7291
  • Windows 10 1809, builds prior to 10.0.17763.8755
  • Windows 10 1607, builds prior to 10.0.14393.9140

Windows Server:

  • Windows Server 2025, builds prior to 10.0.26100.32860
  • Windows Server 2022 23H2, builds prior to 10.0.25398.2330
  • Windows Server 2022, builds prior to 10.0.20348.5139
  • Windows Server 2019, builds prior to 10.0.17763.8755
  • Windows Server 2016, builds prior to 10.0.14393.9140
  • Windows Server 2012 R2, builds prior to 6.3.9600.23181
  • Windows Server 2012, builds prior to 6.2.9200.26079

In total, 31 distinct product and platform combinations are affected.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization