CVE-2026-49796: Patch Windows GDI+ RCE in July 14 Updates

Microsoft’s July 14, 2026 security updates fix CVE-2026-49796, a Windows GDI+ heap-based buffer overflow that can lead to code execution after a user interacts with malicious content. The vulnerability reaches across supported Windows 10, Windows 11, and Windows Server releases, making the cumulative update the practical remedy for both endpoints and servers.
Microsoft classifies CVE-2026-49796 as a Windows GDI+ Remote Code Execution Vulnerability. The National Vulnerability Database, using data supplied by Microsoft, lists a CVSS 3.1 base score of 7.8 and identifies the underlying weakness as CWE-122, a heap-based buffer overflow.
Despite the remote-code-execution title, Microsoft’s scoring describes a more constrained path: the attack vector is local, exploitation requires user interaction, and no existing privileges are needed. That distinction matters for defenders because this is not documented as an unauthenticated network service vulnerability that an attacker can trigger simply by reaching an exposed Windows port.

Futuristic Windows cybersecurity scene with glowing shields, servers, monitoring panels, and malware protection icons.Malicious Content Is the Likely Delivery Mechanism​

Windows GDI+ provides graphics processing services used to draw and manipulate images, text, and other visual content. A memory-safety flaw in that component can become security-sensitive when Windows or an application passes attacker-controlled content to the vulnerable parser.
Microsoft’s brief description says the flaw allows an unauthorized attacker to execute code locally. The CVSS vector adds the most useful operational detail: attack complexity is low, privileges are not required, but the victim must perform an action.
In practice, that points toward a social-engineering or content-delivery scenario. An attacker could potentially persuade a user to open a crafted file, view malicious content, or otherwise cause an application to process data designed to trigger the overflow. Microsoft had not published enough technical detail at release time to identify the exact file type, application workflow, or GDI+ function involved, so administrators should not assume that blocking one image extension would provide reliable protection.
The vulnerability can still be described as remote code execution because malicious content may be delivered remotely through email, a website, a download, a shared location, or another communication channel. The actual processing and code execution, however, occur on the victim’s Windows system after interaction. Remote delivery does not mean network-adjacent exploitation in this case.
A successful exploit could affect confidentiality, integrity, and availability, all of which Microsoft scores as high. Code would ordinarily run within the security context of the process that handles the malicious content, meaning the practical damage would depend on the application involved and the victim’s account privileges.
That makes standard privilege hygiene relevant but not sufficient. Running users without local administrator rights can limit the immediate reach of compromised code, but it does not prevent theft of data accessible to the user, persistence within the profile, credential attacks, or follow-on privilege escalation.

The Affected List Spans Multiple Windows Generations​

The CVE record covers a broad range of client and server products. According to Microsoft’s affected-version data published through the CVE program and reproduced by NIST, vulnerable releases include Windows 10 versions 1607, 1809, 21H2, and 22H2, alongside Windows 11 versions 24H2, 25H2, and 26H1.
The server footprint stretches from Windows Server 2012 through Windows Server 2025. Server Core installations are also named for Windows Server 2012, 2012 R2, 2016, 2019, and 2025, underlining that the vulnerable graphics component can exist even where administrators do not normally think of interactive image handling as a server workload.
Microsoft’s corrected-build thresholds provide a useful compliance check:
  • Windows 10 version 1607 and Windows Server 2016 must reach build 14393.9339 or later.
  • Windows 10 version 1809 and Windows Server 2019 must reach build 17763.9020 or later.
  • Windows 10 versions 21H2 and 22H2 must reach builds 19044.7548 and 19045.7548 respectively.
  • Windows 11 versions 24H2 and 25H2 must reach builds 26100.8875 and 26200.8875 respectively.
  • Windows 11 version 26H1 must reach build 28000.2269 or later.
  • Windows Server 2022 must reach build 20348.5386 or later.
  • Windows Server 2025 must reach build 26100.33158 or later.
Windows Server 2012 is affected below build 9200.26226, while Windows Server 2012 R2 is affected below build 9600.23291. Those older platforms require particular attention because receiving security fixes may depend on the organization’s support arrangement and update channel.
The inclusion of older Windows 10 releases similarly does not mean every installation receives updates through ordinary consumer Windows Update. Some listed versions survive principally through Long-Term Servicing Channel editions or paid servicing programs. Administrators should therefore verify entitlement and deployment status rather than treating an affected-product entry as proof that a machine will patch itself.

Why Server Core Still Needs the Fix​

It can be tempting to deprioritize a GDI+ vulnerability on Server Core because the system lacks the conventional Windows desktop experience. The affected-product data argues against that shortcut.
Graphics libraries can be reached by applications, services, document-processing tools, reporting systems, web workloads, and third-party software without an administrator opening an image in a desktop viewer. An application that accepts uploaded content or generates previews may expose a path into graphics-processing code even when no user logs on interactively.
Microsoft has not publicly documented such a server-side exploitation chain for CVE-2026-49796. Still, the explicit inclusion of Server Core means vulnerability scanners and patch policies should rely on the installed OS build, not assumptions about whether the machine displays graphics.
Server deployments also change the meaning of “user interaction.” In CVSS terminology, interaction can include a person causing an application to process malicious content; it does not necessarily require clicking through a security warning directly on the vulnerable server. Until Microsoft provides fuller exploit-scenario details, systems that ingest untrusted images or documents deserve priority alongside user workstations.

Confidence Is High, but Exploit Detail Remains Limited​

The vulnerability’s existence is confirmed by Microsoft, which assigned the CVE, supplied the affected-version ranges, scored the issue, and shipped corrected Windows builds. That gives defenders high confidence that the underlying flaw is real and security-relevant.
The public technical picture remains comparatively thin. NIST listed CVE-2026-49796 as undergoing enrichment on July 14, with no independent NVD severity assessment yet available. Microsoft’s published information identifies the heap overflow and exploitation prerequisites but does not provide a proof of concept, root-cause analysis, affected graphics format, or observable indicators of compromise.
CVE-2026-49796 was not among the two vulnerabilities that Microsoft identified as already exploited in July’s release, according to Patch Tuesday coverage from the SANS Internet Storm Center and BleepingComputer. It also was not highlighted as the month’s publicly disclosed zero-day. That lowers the evidence-based urgency relative to bugs with confirmed exploitation, but it does not make postponement risk-free.
Once patches are available, attackers can compare updated and unpatched binaries to locate the changed code—a process known as patch diffing. A low-complexity memory-corruption flaw in a widely deployed Windows component can consequently become more useful to attackers after the security update reveals where Microsoft made the fix.

Patch the OS, Then Verify the Build​

There is no documented configuration switch that cleanly removes the vulnerable GDI+ code while preserving normal Windows and application functionality. The dependable action is to deploy the July 2026 cumulative security update applicable to each Windows release.
Enterprise teams should test the cumulative updates against graphics-heavy and document-processing applications, but CVE-2026-49796 does not justify an extended wait for perfect telemetry. Deployment rings should move promptly from representative test systems to workstations that process external email attachments, downloaded files, browser content, design assets, and customer-submitted documents.
Administrators should also inventory servers that perform image resizing, report generation, document conversion, thumbnail creation, scanning, or web-content processing. Those roles may be more exposed to untrusted graphical input than their “server” classification suggests.
The final control is verification. Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Intune, or another patch platform may report a successful installation even when a reboot remains outstanding or a device has fallen outside its intended servicing ring. The installed OS build should meet or exceed Microsoft’s corrected threshold for the specific Windows version.
CVE-2026-49796 is not documented as an active zero-day, but its broad product coverage and code-execution impact make it a poor candidate for routine deferral. The immediate milestone for IT teams is straightforward: deploy the July 14 updates, complete required restarts, and confirm that every exposed client and server has crossed the fixed-build boundary.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top