Cyber Resilience

CVE-2026-20846

High

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 20.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20846 is a high-severity Buffer Over-read (CWE-126) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20846 is a buffer over-read vulnerability (CWE-126) in the Windows GDI+ graphics component. Published on 2026-02-10, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for availability disruption.

An unauthorized attacker can exploit this vulnerability remotely over a network with low attack complexity, requiring no user privileges or interaction. Successful exploitation results in a denial-of-service condition with high impact on availability, but no impact on confidentiality or integrity.

The Microsoft Security Response Center has published an update guide detailing mitigations for CVE-2026-20846 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20846.

EU & UK References

Vulnerability details

Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer over-read in GDI+ directly enables remote application exploitation resulting in endpoint DoS (high availability impact).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21277Same product: Microsoft Windows 10 1607
CVE-2026-21525Same product: Microsoft Windows 10 1607
CVE-2026-40401Same product: Microsoft Windows 10 1607
CVE-2026-40413Same product: Microsoft Windows 10 1607
CVE-2026-40414Same product: Microsoft Windows 10 1607
CVE-2026-35424Same product: Microsoft Windows 10 1607
CVE-2026-20875Same product: Microsoft Windows 10 1607
CVE-2026-32071Same product: Microsoft Windows 10 1607
CVE-2025-21351Same product: Microsoft Windows 10 1607
CVE-2025-21389Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8868 · ≤ 10.0.14393.8868
microsoft
windows 10 1809
≤ 10.0.17763.8389 · ≤ 10.0.17763.8389
microsoft
windows 10 21h2
≤ 10.0.19044.6937 · ≤ 10.0.19044.6937 · ≤ 10.0.19044.6937
microsoft
windows 10 22h2
≤ 10.0.19045.6937 · ≤ 10.0.19045.6937 · ≤ 10.0.19045.6937
microsoft
windows 11 23h2
≤ 10.0.22631.6649 · ≤ 10.0.22631.6649
microsoft
windows 11 24h2
≤ 10.0.26100.7781 · ≤ 10.0.26100.7781
microsoft
windows 11 25h2
≤ 10.0.26200.7781 · ≤ 10.0.26200.7781
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8868
microsoft
windows server 2019
≤ 10.0.17763.8389
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws such as the buffer over-read in Windows GDI+ as detailed in the MSRC update guide.

preventdetect

Directly implements protections to limit the effects of network-based denial-of-service attacks exploiting this vulnerability.

prevent

Validates inputs to GDI+ graphics processing to prevent malformed data from triggering the buffer over-read condition.

References