CVE-2026-54122 Fix: Patch Windows GDI+ RCE to July 2026 Builds

Microsoft has patched CVE-2026-54122, an 8.4-rated Windows GDI+ remote code execution vulnerability affecting supported and Extended Security Update editions of Windows 10, Windows 11, and Windows Server. The flaw is a heap-based buffer overflow that can give an unauthorized attacker full confidentiality, integrity, and availability impact when vulnerable GDI+ code processes attacker-controlled content.
Published on July 14 as part of Microsoft’s monthly security release, CVE-2026-54122 is rated Important rather than Critical. Microsoft’s Security Response Center identifies the weakness as CWE-122, a heap-based buffer overflow, while the CVSS vector indicates low attack complexity, no privileges required, and no user interaction.
That combination deserves attention, but the vulnerability’s “remote code execution” title requires careful reading. The CVSS attack vector is local, not network-based, meaning this is not an unauthenticated Internet-facing service flaw that attackers can directly fire at an exposed Windows host.

Cybersecurity graphic showing a patched Windows Server protecting its graphics pipeline from a heap overflow.“Remote Code Execution” Does Not Mean Network Exploitation​

Microsoft describes CVE-2026-54122 as allowing an unauthorized attacker to execute code locally. Its CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, producing a base score of 8.4.
In practical terms, an attacker must first place themselves in a position where malicious content or code is processed on the target machine. However, the attacker does not need an existing authenticated account, elevated privileges, or a second user to perform an additional action once the required local execution path has been established.
This distinction is important for vulnerability triage. CVE-2026-54122 should not be treated like a remotely reachable RDP, SMB, HTTP.sys, or Windows Server service vulnerability, but neither should administrators dismiss it simply because AV:L appears in the score. GDI+ is a mature and widely used Windows graphics subsystem, and flaws in common content-processing components can become valuable links in document, application, browser, or post-compromise attack chains.
The “remote” wording in Microsoft vulnerability titles generally describes the eventual ability to execute attacker-chosen code, not necessarily a network attack vector. Here, the structured CVSS data is the better guide: exploitation occurs from the local system context.

The Overflow Reaches Across the Windows Estate​

Microsoft’s affected-product data spans Windows 10, current Windows 11 releases, and multiple generations of Windows Server. Server Core installations are also listed, underlining that the graphics component remains present and security-relevant even on systems without the full Desktop Experience.
Affected releases include:
  • Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected on applicable 32-bit, x64, and ARM64 platforms.
  • Windows 11 versions 24H2, 25H2, and 26H1 are affected on x64 and ARM64 systems.
  • Windows Server 2012 and Windows Server 2012 R2 are affected, including Server Core installations.
  • Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected.
  • Windows Server 2025 Server Core is included in Microsoft’s affected-product data.
The fixed build thresholds provide a straightforward compliance check. Windows 11 24H2 must be brought to build 26100.8875 or later, while Windows 11 25H2 requires build 26200.8875 or later. Windows 11 26H1 is fixed at build 28000.2525.
For Windows 10, the relevant fixed levels are 14393.9339 for version 1607, 17763.9020 for version 1809, 19044.7548 for version 21H2, and 19045.7548 for version 22H2. Older Windows 10 releases in this list will generally appear in long-term servicing or paid ESU environments rather than ordinary consumer deployments.
On the server side, the corrected levels include build 20348.5386 for Windows Server 2022 and build 26100.33158 for Windows Server 2025. Windows Server 2016 follows the 14393.9339 branch, while Windows Server 2019 follows 17763.9020. Windows Server 2012 and 2012 R2 require their applicable July security updates and ESU entitlement.
These build numbers are more reliable than simply checking whether Windows Update reports that it ran successfully. Administrators should verify the installed OS build after deployment, particularly on systems governed by phased rings, maintenance windows, WSUS approval rules, or third-party patch-management platforms.

GDI+ Makes Application Inventory Part of the Risk​

GDI+ supplies graphics rendering and image-processing capabilities to Windows and to software built on top of the platform. A defect in that shared component can therefore affect more than applications carrying an obvious Microsoft Graphics label.
Microsoft’s public description does not specify a file format, application entry point, or complete exploitation chain for CVE-2026-54122. Administrators should consequently avoid assuming that blocking one image extension, removing Microsoft Paint, or restricting a particular email attachment type provides complete protection. Without a vendor-documented workaround tied to a specific parser or workflow, installing the corrected Windows binaries is the dependable remediation.
The absence of required user interaction in the CVSS vector also separates this vulnerability from the familiar “convince a victim to open a malicious file” pattern. It suggests the vulnerable processing can occur without an additional deliberate action at the point of exploitation, although the attacker still needs a local path to the vulnerable component.
That makes shared servers and automated processing systems worth reviewing. Applications that generate thumbnails, transform images, produce reports, import graphical assets, or process uploaded content may invoke operating-system graphics functionality behind the scenes. Server Core should not be excluded from scanning merely because nobody uses it as an interactive desktop.
At publication time, Microsoft has not identified CVE-2026-54122 as one of July’s publicly disclosed or actively exploited zero-days. BleepingComputer’s July Patch Tuesday accounting lists it as an Important GDI+ vulnerability within a much larger release, rather than among the month’s exploited flaws. There is therefore no public evidence yet that attackers are using this specific CVE in the wild, but its low complexity and lack of privilege or interaction requirements make prolonged patch deferral difficult to justify.

Patch Verification Matters More Than the Label​

For managed environments, the immediate task is to deploy the July 14 cumulative Windows updates through Windows Update, Microsoft Intune, Windows Autopatch, WSUS, Configuration Manager, or the organization’s existing endpoint-management platform. Because Windows cumulative updates supersede earlier servicing content, installing the applicable current cumulative update should deliver the GDI+ correction alongside the rest of July’s fixes.
Security teams should then confirm that endpoints have crossed the fixed build boundary. Vulnerability scanners may initially identify CVE-2026-54122 through operating-system version data rather than by testing the affected graphics routines, so stale inventory and delayed scan synchronization can produce misleading results in either direction.
Systems running Windows Server 2012, Server 2012 R2, or older Windows 10 servicing branches need additional scrutiny. A machine can remain online and apparently functional while lacking the ESU licensing, update channel, or servicing prerequisites needed to receive the patch. Unsupported machines that cannot obtain July’s correction should be isolated, replaced, or prevented from processing untrusted content rather than marked as an accepted low-risk exception.
CVE-2026-54122 is not a wormable Internet-facing emergency, but it is a confirmed memory-corruption flaw with a high CVSS score and broad Windows reach. The concrete milestone for administrators is simple: verify the July 2026 cumulative update and the resulting OS build, including on Server Core, ESU-protected Windows 10, and legacy Windows Server systems that are easiest to miss.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: thewindowsupdate.com
 

Back
Top