CVE-2026-20846
Published: 10 February 2026
Summary
CVE-2026-20846 is a high-severity Buffer Over-read (CWE-126) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-20846 is a buffer over-read vulnerability (CWE-126) in the Windows GDI+ graphics component. Published on 2026-02-10, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for availability disruption.
An unauthorized attacker can exploit this vulnerability remotely over a network with low attack complexity, requiring no user privileges or interaction. Successful exploitation results in a denial-of-service condition with high impact on availability, but no impact on confidentiality or integrity.
The Microsoft Security Response Center has published an update guide detailing mitigations for CVE-2026-20846 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20846.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7309
Vulnerability details
Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer over-read in GDI+ directly enables remote application exploitation resulting in endpoint DoS (high availability impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of flaws such as the buffer over-read in Windows GDI+ as detailed in the MSRC update guide.
Directly implements protections to limit the effects of network-based denial-of-service attacks exploiting this vulnerability.
Validates inputs to GDI+ graphics processing to prevent malformed data from triggering the buffer over-read condition.