Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Windows GDI EMF Heap Buffer Overflow RCE

IdentifiersCVE-2026-35421CWE-122· Heap-based Buffer Overflow

CVE-2026-35421 is a critical heap-based buffer overflow in the Windows Graphics Device Interface (GDI). The flaw is triggered when Windows GDI processes a specially crafted Enhanced Metafile (EMF) image, with the provided reporting consistently identifying Microsoft Paint as the attack vector used to open or otherwise process the malicious file. The vulnerability is described as a heap overflow condition in GDI’s handling of EMF content, which can corrupt process memory and lead to code execution in the context of the application processing the file.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution on the victim system. Based on the provided context, exploitation occurs when a user opens or otherwise processes a malicious EMF file in Microsoft Paint, allowing an unauthorized attacker to run attacker-controlled code locally on the target machine. The practical impact is compromise of the affected endpoint in the security context of the targeted user and application, which may enable follow-on actions such as malware installation, persistence, credential theft, or lateral movement depending on the privileges available.

Mitigation

If you can’t patch tonight, do this now.

Until patches are fully deployed, reduce exposure by preventing users from opening untrusted or unsolicited EMF files, especially in Microsoft Paint. Restrict delivery of EMF content through email, web downloads, and shared storage where feasible, and consider blocking or quarantining EMF attachments at security gateways. User awareness measures and application control policies that limit handling of uncommon image formats can further reduce exploitability. The provided content does not specify any vendor-issued workaround beyond patching.

Remediation

Patch, then assume compromise.

Apply the Microsoft security updates released as part of the May 2026 Patch Tuesday cycle that address CVE-2026-35421. The provided content recommends prioritizing immediate patching of unpatched Windows systems. Ensure affected Windows versions receive the relevant cumulative or security updates from Microsoft so that the vulnerable Windows GDI EMF-processing path is corrected.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
techrepublic com securityNews
May 13, 2026
Microsoft’s Patch Tuesday Update Targets 120 Security Flaws

A remote code execution vulnerability in Windows Graphics Device Interface (GDI) involving specially crafted Enhanced Metafile (EMF) files opened in Windows Paint.

Read more
thecyberexpress com vulnerabilitiesNews
May 13, 2026
Microsoft May 2026 Patch Tuesday Fixes 120 Flaws

A Windows GDI remote code execution vulnerability exploitable via a malicious EMF image opened in Microsoft Paint.

Read more
cyberthroneNews
May 13, 2026
Microsoft Patch Tuesday - May 2026 - TheCyberThrone

A critical remote code execution vulnerability in Windows GDI caused by a heap-based buffer overflow triggered by opening a crafted EMF file in Microsoft Paint.

Read more
talos intelligence blogNews
May 12, 2026
Microsoft Patch Tuesday for May 2026 - Snort rules and prominent vulnerabilities

A critical heap-based buffer overflow in Windows GDI that can lead to local code execution when a user opens or processes a specially crafted EMF file in Microsoft Paint.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-35421
NVD
nvd.nist.gov/vuln/detail/CVE-2026-35421
MITRE CWE · CWE-122
Heap-based Buffer Overflow
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35421