Cyber Resilience

CVE-2025-50168

High

Published: 12 August 2025

Published
12 August 2025
Modified
19 August 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0107 78.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50168 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows 11 22H2. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 21.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-50168 is a type confusion vulnerability, also referenced under CWE-843 and CWE-122, that affects the Windows Win32K - ICOMP component. The flaw permits an authorized local attacker to perform an access of a resource using an incompatible type, resulting in a CVSS 7.8 score with high impact on confidentiality, integrity, and availability.

An attacker who already possesses local access and low privileges can exploit the issue without user interaction to escalate privileges on the affected Windows system. Successful exploitation grants the attacker the ability to execute code with elevated rights on the host.

The official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50168 addresses mitigation through security updates that remediate the type confusion condition in Win32K. The associated EPSS score remains flat at 0.0107 with no material increase after disclosure.

EU & UK References

Vulnerability details

Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 11 22h2
≤ 10.0.22621.5768
microsoft
windows 11 23h2
≤ 10.0.22631.5768
microsoft
windows 11 24h2
≤ 10.0.26100.4851
microsoft
windows server 2022 23h2
≤ 10.0.25398.1791
microsoft
windows server 2025
≤ 10.0.26100.4851

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References