Cyber Resilience

CVE-2025-26639

High

Published: 08 April 2025

Published
08 April 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0225 85.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26639 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows 11 22H2. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-26639 is an integer overflow or wraparound vulnerability, also referenced under CWE-122 and CWE-190, that affects the Windows USB Print Driver. The flaw carries a CVSS 3.1 base score of 7.8 and permits an authorized local attacker to elevate privileges on an affected system.

An attacker with a valid local account can exploit the issue without user interaction to gain elevated rights, potentially obtaining full control over the host. The attack vector is local only, with low attack complexity and no requirement for the victim to perform any action.

Microsoft’s advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26639 provides official guidance on available patches and mitigations for the affected Windows versions.

The EPSS score remains low at 0.0225 with no material increase since disclosure.

EU & UK References

Vulnerability details

Integer overflow or wraparound in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 21h2
≤ 10.0.19044.5737
microsoft
windows 10 22h2
≤ 10.0.19045.5737
microsoft
windows 11 22h2
≤ 10.0.22621.5189 · ≤ 10.0.22621.5189
microsoft
windows 11 23h2
≤ 10.0.22631.5189 · ≤ 10.0.22631.5189
microsoft
windows 11 24h2
≤ 10.0.26100.3775 · ≤ 10.0.26100.3775
microsoft
windows server 2022
≤ 10.0.20348.3453
microsoft
windows server 2022 23h2
≤ 10.0.25398.1551
microsoft
windows server 2025
≤ 10.0.26100.3775

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References