CVE-2026-25190

HighLPE

Published: 10 March 2026

Published

10 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25190 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Search Order Hijacking (T1038); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-11 (User-installed Software).

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL Search Order Hijacking (T1038) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the untrusted search path vulnerability in Windows GDI by requiring timely identification, reporting, and deployment of vendor patches as referenced in Microsoft's update guide.

CM-6 Configuration Settings partial match

prevent

Enforces secure baseline configuration settings such as Safe DLL Search Mode to prioritize trusted paths and prevent loading of malicious DLLs via GDI's untrusted search path.

CM-11 User-installed Software partial match

prevent

Restricts user-installed software to block placement of malicious files in untrusted search paths that a local attacker could exploit through user interaction with GDI.

MITRE ATT&CK Enterprise TechniquesAI

T1038 DLL Search Order Hijacking Persistence

Windows systems use a common method to look for required DLLs to load into a program.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1574.008 Path Interception by Search Order Hijacking Stealth

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.

attack.mitre.org →

Why these techniques?

Untrusted search path (CWE-426) in GDI directly enables DLL search order hijacking/path interception to load attacker-controlled code; exploitation requires user interaction via malicious file (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally.

Deeper analysisAI

CVE-2026-25190 is an untrusted search path vulnerability (CWE-426) in the Windows Graphics Device Interface (GDI). Published on 2026-03-10T18:18:36.300, it carries a CVSS v3.1 base score of 7.8 (High), reflecting local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The flaw affects Windows systems utilizing GDI for graphics rendering.

A local unauthorized attacker can exploit this vulnerability by leveraging the untrusted search path to execute arbitrary code. Exploitation requires tricking a user into performing an action, such as opening a malicious file, but demands no elevated privileges. Upon success, the attacker achieves full local code execution, potentially compromising the victim's system with high severity effects on data access, modification, and disruption.

Microsoft's update guide provides details on mitigation and patching for CVE-2026-25190, available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25190. Security practitioners should consult this advisory for deployment instructions and verify system updates.

Details

CWE(s): CWE-426

Affected Products

microsoft

windows 10 1607

≤ 10.0.14393.8957 · ≤ 10.0.14393.8957

microsoft

windows 10 1809

≤ 10.0.17763.8511 · ≤ 10.0.17763.8511

microsoft

windows 10 21h2

≤ 10.0.19044.7058 · ≤ 10.0.19044.7058 · ≤ 10.0.19044.7058

microsoft

windows 10 22h2

≤ 10.0.19045.7058 · ≤ 10.0.19045.7058 · ≤ 10.0.19045.7058

microsoft

windows 11 23h2

≤ 10.0.22631.6783 · ≤ 10.0.22631.6783

microsoft

windows 11 24h2

≤ 10.0.26100.7979 · ≤ 10.0.26100.7979

microsoft

windows 11 25h2

≤ 10.0.26200.7979 · ≤ 10.0.26200.7979

microsoft

windows 11 26h1

≤ 10.0.28000.1719 · ≤ 10.0.28000.1719

microsoft

windows server 2012

all versions, r2

microsoft

windows server 2016

≤ 10.0.14393.8957

+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-27916Same product: Microsoft Windows 10 1607

CVE-2026-32077Same product: Microsoft Windows 10 1607

CVE-2026-26168Same product: Microsoft Windows 10 1607

CVE-2026-24294Same product: Microsoft Windows 10 1607

CVE-2026-27914Same product: Microsoft Windows 10 1607

CVE-2026-32183Same product: Microsoft Windows 10 1607

CVE-2026-27909Same product: Microsoft Windows 10 1607

CVE-2026-32202Same product: Microsoft Windows 10 1607

CVE-2026-27915Same product: Microsoft Windows 10 1607

CVE-2026-27923Same product: Microsoft Windows 10 1607

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25190
Vendor Advisory · secure@microsoft.com