CVE-2026-25181
Published: 10 March 2026
Summary
CVE-2026-25181 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25181 is an out-of-bounds read vulnerability (CWE-125) in the Windows GDI+ component. Published on 2026-03-10T18:18:34.430, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue enables an unauthorized attacker to disclose information over a network.
An unauthenticated attacker can exploit this vulnerability remotely, requiring low attack complexity and no user interaction or privileges. Successful exploitation results in high-impact information disclosure from the affected Windows system.
Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25181.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10653
Vulnerability details
Out-of-bounds read in Windows GDI+ allows an unauthorized attacker to disclose information over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of GDI+ OOB read directly enables initial access via public-facing app exploitation (T1190) and high-impact local data/memory disclosure (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the out-of-bounds read in Windows GDI+ by requiring timely installation of vendor-provided security patches.
Implements memory protection mechanisms such as ASLR and DEP to restrict the impact of out-of-bounds reads that disclose sensitive information.
Validates malformed inputs processed by GDI+ to prevent triggering the out-of-bounds read vulnerability remotely.