CVE-2026-44812: the Win32k GRFX graphics RCE hiding inside your Preview Pane
June 2026 Patch Tuesday integer overflow — 'Exploitation More Likely', low EPSS, no public PoC: what that combination actually means for your fleet
Microsoft labelled this one "Remote Code Execution." The CVSS vector tells the real story: AV:L / UI:R — a user previews or opens a crafted graphics file in the Windows File Explorer Preview Pane, the Win32k GRFX subsystem mishandles an attacker-controlled size calculation, and the heap gets corrupted. CVSS 7.8 HIGH, shipped as part of the June 2026 Patch Tuesday record cycle (~198–208 CVEs), not exploited in the wild, no public PoC, absent from CISA KEV. But Microsoft marks it "Exploitation More Likely" — and the tension between that forward-looking warning and a calm EPSS is exactly what this breakdown unpacks.
What CVE-2026-44812 actually is
At its core: a CWE-190 integer overflow or wraparound in the Windows Win32k GRFX kernel graphics rendering subsystem. Microsoft's own description — "Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally" — is precise but compact. The exploit path follows the well-established pattern for this bug class: attacker-controlled dimensions in a graphics object header (a metafile record, glyph table, or image header) feed a size calculation; the arithmetic overflows, yielding an undersized heap allocation; the parser copies the full payload into that smaller buffer, producing a heap buffer overflow that is steered toward code execution. The exact integer width and memory layer (kernel win32kfull.sys vs. shared user-mode imaging code like gdi32full.dll) are not confirmed without a public patch diff — the name "Win32k GRFX" points at kernel-mode graphics, but the CVE also affects Office for Android, which runs no Win32k kernel code, suggesting shared user-mode imaging code may be involved too.
One critical nuance on "Remote." Per Microsoft's own FAQ: "'Remote' refers to the location of the attacker ... the attack itself is carried out locally." The CVSS vector confirms this — AV:L (the malicious data is a file processed on the target machine, not a network request) and UI:R (the victim must view the file in the Preview Pane or open it). This also corrects the automated ATT&CK mapping: the right technique is T1203 (Exploitation for Client Execution), not T1190 (Exploit Public-Facing Application) — T1190 applies to AV:N network-reachable services, which this is not. The scope is S:U with no privilege-gain metric, so exploitation yields code execution at the victim process's integrity level, not automatic SYSTEM — despite the kernel graphics name.
The exploitation chain
From crafted file to local code execution in five stages — each with a chokepoint that is cheap to deploy. The most effective prevention is at stage 3 (the patch, the only control that removes the vulnerability). The most sensitive detection is at stage 4, where crash telemetry and behavioural rules catch both failed and successful exploitation attempts.
CVE-2026-44812 attack chain — crafted graphics file to local code execution
- 1. Deliver crafted file (email / download / share) — Attacker delivers a malformed image, EMF, or font-bearing file. ATT&CK T1566/T1566.001. CHOKEPOINT: mail/web filtering, Mark-of-the-Web, and user awareness reduce the odds it reaches a parse.
- 2. Victim previews or opens the file (UI:R) — File Explorer Preview Pane render or file open triggers parsing — a near-one-click primitive. CHOKEPOINT: disable Preview Pane on shared/exposed hosts; Office ASR limits what a compromised process can do next.
- 3. Win32k GRFX integer overflow → heap corruption — Attacker-controlled size overflows/wraps arithmetic (CWE-190) → undersized allocation → oversized copy → heap corruption. CHOKEPOINT: the June 2026 patch fixes the arithmetic — the only control that stops this primitive.
- 4. Local code execution (C:H / I:H / A:H) — Successful exploitation yields high-impact local compromise on the parsing host at the victim process's integrity level. CHOKEPOINT (detect): WER/AppCrash on graphics modules catches failed and successful attempts; behavioural rules catch the follow-on payload.
- 5. Post-exploitation payload — Follow-on LOLBins / persistence from the compromised parsing host. CHOKEPOINT: SigmaHQ Office-child-process + Elastic EQL baselines; EDR behavioural detection.
- Prevent: deploy June 2026 patch — The single control that removes the vulnerability rather than just reducing the attack surface. Everything before stage 3 only lowers the odds of reaching the bug — only the patch stops the integer overflow itself.
- Detect: WER crash + behavioural rules — Crash telemetry on gdi32full/windowscodecs/DWrite + anomalous children of parsing hosts (Office, prevhost.exe, dllhost.exe). These signals fire on both failed and successful exploitation attempts.
Am I affected?
The footprint is wide — roughly 62 products in enrichment, spanning Windows client, Windows Server, and Office for Android. The common thread is likely shared graphics/imaging code, though Microsoft has not confirmed the specific shared component. Android Office (Word, Excel, PowerPoint) is separately affected and received updates on 2026-06-15, a week after the Windows patches — it is not covered by Windows Update, so push updates via MDM or direct Play Store install.
| Dimension | Detail |
|---|---|
| Root cause | CWE-190 integer overflow in Win32k GRFX → heap corruption on size wraparound |
| CVSS base | 7.8 HIGH — AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD + MSRC agree) |
| CVSS temporal | 6.8 — E:U (no exploit code), RL:O (official fix available), RC:C (confirmed) |
| KEV status | Not listed — verified against CISA catalog + cisagov feed v2026.06.29 |
| EPSS | ~0.44% (~35th percentile) as of 2026-07-01 |
| MSRC exploitability | Exploitation More Likely — publiclyDisclosed=No, exploited=No |
| Disclosed | 2026-06-09 (June 2026 Patch Tuesday) |
| Workaround | None — the June 2026 cumulative update is the only remediation |
| Win11 24H2 / 25H2 | KB5094126 → builds 26100.8655 / 26200.8655 |
| Win11 23H2 | KB5093998 → build 22631.7219 |
| Win10 22H2 / 21H2 (ESU) | KB5094127 → 19045.7417 / 19044.7417 |
| Win10 1809 / Server 2019 | KB5094123 → 17763.8880 |
| Win10 1607 / Server 2016 | KB5094122 → 14393.9234 |
| Server 2025 / 2022 | KB5094125 / KB5094128 |
| Server 2012 / 2012 R2 | KB5094042 |
| Office for Android | Fixed builds available 2026-06-15 via Google Play / MDM (verify exact build in Play Store before gating) |
Urgency calibration: 'Exploitation More Likely' vs low EPSS
The single most useful interpretive point in this dossier: Microsoft's "Exploitation More Likely" and the low EPSS (~0.44%) are not in conflict — they measure different things. MSRC "More Likely" is a qualitative, forward-looking judgment about code-path attractiveness and exploitation feasibility — Win32k GRFX is a historically interesting surface, and a CWE-190 integer overflow at low attack complexity is a tractable class. EPSS ~0.44% is an empirical, 30-day probability driven by observed real-world signal, of which there is currently none: no public PoC, not in KEV, and a local UI:R requirement that resists mass internet scanning entirely.
Both readings are consistent: an attractive future target that is not a live threat today. For most assets, fold into the normal June 2026 patch ring — there is no CISA KEV deadline compelling emergency action. Escalate for multi-user terminal servers, VDI, RDP hosts, and high-value endpoints — environments where a user routinely previews untrusted files and where a graphics RCE is both most damaging and the most plausible first-to-weaponize candidate from a "More Likely" Patch Tuesday list. The June 2026 active-exploitation crown went to CVE-2026-41091 (Microsoft Defender EoP), which is on KEV; CVE-2026-44812 is in a different tier.
Detection: when you can't signature the file
You cannot reliably signature the malicious file. This is a memory-corruption bug in graphics parsing — the trigger is a malformed image, metafile, or font whose maliciousness lives in header arithmetic, not a static byte string. Cisco Talos published Snort coverage for the full June 2026 cycle but mapped no SID to CVE-2026-44812, and a network signature is structurally meaningless for a local file-parse anyway. Detection must target four observable side-effects instead:
- Anomalous graphics-DLL image loads (highest value). A user-mode graphics DLL —
gdi32full.dll,windowscodecs.dll,DWrite.dll,d2d1.dll— loading into a process that should not render graphics:rundll32,dllhost,wscript,powershell. Hunt via Sysmon Event 7 or Defender DeviceImageLoadEvents. - Post-exploitation child-process behaviour. An Office app or Preview-Pane host (
prevhost.exe,dllhost.exe,explorer.exe) spawning LOLBin children (powershell,mshta,regsvr32,wscript,certutil,bitsadmin). Reuse maintained baselines: SigmaHQ "Suspicious Microsoft Office Child Process" (id 438025f9) and Elastic's prebuilt EQL rule. - Crash telemetry. A failed exploit and a successful one both perturb the same modules. Look for WerFault.exe / wermgr.exe spawned under an Office or graphics-parse host, and Application Error (Event ID 1000) naming a user-mode graphics DLL as the faulting module. Threshold: 3+ crashes/host/hour; exclude known GPU driver modules (
nvwgf2**,atidxx,igd*,dxgkrnl). - Mark-of-the-Web delivery signal. The crafted file arrives via mail, download, or file share. An Office or shell host touching a MOTW-tagged file (Zone.Identifier, Sysmon Event 15 FileCreateStreamHash) is a pre-execution signal the other three don't provide.
What to do now
- Check your build level — not
Get-HotFix, which often misses cumulative updates (LCUs). Read the OS build/UBR from the registry:(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').CurrentBuild+.UBR. Minimum patched UBRs are in the table above. - Deploy the June 2026 cumulative update for each Windows/Server SKU per the patch matrix. For Android Office (Word, Excel, PowerPoint), push updates via MDM or direct Play Store update — Windows Update does not cover these apps.
- Prioritize multi-user terminal servers, VDI / RDP hosts, jump boxes, and high-value endpoints (admins, execs, developers) first. Standard patch ring for everything else.
- If you cannot patch immediately, enable Defender ASR rules in Audit mode first — "Block Office child processes", "Block executable content from Office apps", "Block Win32 API calls from macros" — then move to Block after baselining. Also consider disabling the File Explorer Preview Pane on shared/exposed hosts. These reduce post-exploit payload delivery; they do not stop the underlying integer-overflow primitive.
- Deploy the behavioural detections — image-load hunt, Office/prevhost child-process Sigma rules, WER crash telemetry.
- Re-triage on any state change: public PoC, EPSS spike above ~5%, or KEV listing → treat as emergency, notify IT/SecOps, reset your patch-ring SLA.
Context: one node in a Win32k GRFX wave
CVE-2026-44812 is not a lone bug. In the same June 2026 cycle, its near-identical sibling CVE-2026-44803 (also "Windows Graphics Component RCE," also CWE-190 integer overflow in Win32K GRFX, also CVSS 7.8 HIGH, same day) shipped alongside a related Microsoft Graphics Component EoP CVE-2026-42986. Multiple graphics-parser overflows in one cycle is the fingerprint of a fuzzing or variant-hunting sweep of the same code path. Zoom out and the class runs back over a decade — Palo Alto Unit 42 traces attacker interest in Win32k to 2011, with real in-the-wild weaponization (CVE-2021-1732, CVE-2022-21882). The same integer-overflow-into-heap-overflow shape recurs repeatedly: attacker-controlled sizes in graphics/font parsing wrap arithmetic and corrupt memory.
For defenders, the practical implication is that the durable controls are class-wide, not CVE-specific — Preview Pane hygiene on shared hosts, Office ASR, tight patch latency on the graphics stack, and WER/AppCrash hunting on graphics modules. Each new sibling bug costs you very little if the class-wide posture is already in place.
FAQ
Is CVE-2026-44812 being exploited in the wild?
What does 'Remote Code Execution' mean here if it's AV:L?
Is there a workaround if I can't patch right now?
Does this affect Office for Android?
How do I correctly check if a Windows host is patched?
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion', then check CurrentBuild and UBR. Do not rely solely on Get-HotFix — cumulative updates (LCUs) frequently do not appear as discrete KB entries. Minimum patched UBRs: Win11 24H2 ≥ 26100.8655, Win10 22H2 ≥ 19045.7417, Win10 1809/Server 2019 ≥ 17763.8880, Win10 1607/Server 2016 ≥ 14393.9234.Sources
- NVD — CVE-2026-44812
- Microsoft MSRC Security Update Guide — CVE-2026-44812
- Microsoft — KB5094126 support page (Win11 24H2/25H2)
- Tenable — Microsoft's June 2026 Patch Tuesday (198 CVEs)
- Zero Day Initiative — June 2026 Security Update Review
- Cisco Talos — Microsoft Patch Tuesday for June 2026
- CrowdStrike — Patch Tuesday Analysis June 2026
- Rapid7 — CVE-2026-44812 vulnerability database
- Hive Pro — Microsoft June 2026 Patch Tuesday advisory
- threatint — CVE-2026-44812 (CVSS temporal vector)
- Qualys — Microsoft and Adobe Patch Tuesday June 2026
- CISA Known Exploited Vulnerabilities catalog
- Palo Alto Unit 42 — Win32k analysis (class history)
- SigmaHQ — Suspicious Microsoft Office Child Process
- Elastic — prebuilt MS Office child-process EQL rule
- winaero — June 2026 cumulative updates for Windows 10/11
- IT-Connect — June 2026 Windows Server update KBs