CVE-2026-21235

Q: What is the severity of CVE-2026-21235?

CVE-2026-21235 has a CVSS score of 7.3 (HIGH). This vulnerability involves a use-after-free flaw in Microsoft Graphics Component that allows an authenticated attacker to execute arbitrary code with elevated privileges on a local system. It affects Windows systems with the vulnerable component installed. Attackers need local access to exploit this vulnerability.

7.3 HIGH

📋 TL;DR

This vulnerability involves a use-after-free flaw in Microsoft Graphics Component that allows an authenticated attacker to execute arbitrary code with elevated privileges on a local system. It affects Windows systems with the vulnerable component installed. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Microsoft Windows
Microsoft Graphics Component

Versions: Windows 10 versions 1809 through 22H2, Windows 11 versions 21H2 through 23H2

Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Microsoft Graphics Component enabled (default on most Windows installations) are vulnerable. Server Core installations may be less affected depending on graphics component usage.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement within the network.

🟠

Likely Case

Privilege escalation from standard user to administrator/SYSTEM level, allowing installation of malware, credential harvesting, and bypassing security controls.

🟢

If Mitigated

With proper privilege separation and application control policies, impact is limited to the compromised user's context rather than full system takeover.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the target system.

🏢 Internal Only: HIGH - Malicious insiders or attackers who gain initial foothold can use this to escalate privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local authenticated access and knowledge of memory manipulation techniques. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security Update KB5021235 (January 2026 Patch Tuesday) or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21235

Restart Required: Yes

Instructions:

1. Open Windows Update Settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted. 5. Verify installation via 'View update history'.

🔧 Temporary Workarounds

Disable vulnerable graphics components

windows

Disable or remove Microsoft Graphics Component if not required for system functionality

Disable-WindowsOptionalFeature -Online -FeatureName "Graphics-Tools-Full" -Remove
Remove-WindowsCapability -Online -Name "Graphics.Tools~~~~0.0.1.0"

Apply Microsoft Exploit Protection

windows

Enable Control Flow Guard and Arbitrary Code Guard to mitigate exploitation

Set-ProcessMitigation -System -Enable CFG,ACG

🧯 If You Can't Patch

Implement strict privilege separation - ensure users operate with least privilege necessary
Deploy application control policies (AppLocker/Windows Defender Application Control) to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates via 'winver' and 'Get-Hotfix -Id KB5021235' in PowerShell

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5021235 is installed: 'Get-Hotfix | Where-Object {$_.HotFixID -eq "KB5021235"}' returns the update

📡 Detection & Monitoring

Log Indicators:

Event ID 4688: New process creation with SYSTEM privileges from non-SYSTEM user
Event ID 4104: Script block logging showing privilege escalation attempts
Unexpected graphics component process crashes (Event ID 1000)

Network Indicators:

Unusual outbound connections from systems after local privilege escalation
Lateral movement attempts from previously compromised hosts

SIEM Query:

source="windows_security" event_id=4688 AND (user!="SYSTEM" AND integrity_level="System") | stats count by host, user, process_name

📊 Metadata

CVE ID: CVE-2026-21235

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.03% exploit probability (7.1th percentile)

Published: February 10, 2026

Last Updated: February 11, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21235 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable graphics components

Apply Microsoft Exploit Protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities