CVE-2026-50380 is a Windows GDI+ heap-based buffer overflow that can lead to remote code execution. Microsoft rates it at CVSS v3.1 9.6 (critical) with a temporal score of 8.3. The vector is network-reachable but requires user interaction, with low attack complexity, no privileges required, and changed scope. Microsoft says there is no public disclosure and no known exploitation; exploit code maturity is unproven. The vulnerability is phishing-related because it requires a user to open or process a specially crafted EMF+ file. This creates meaningful enterprise risk for environments where users may receive untrusted files, though it is less severe than a no-interaction network exploit. Highlights: - CVSS scores: Base 9.6 - Temporal 8.3 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; network vector with LOW attack complexity, but USER INTERACTION is REQUIRED. - Severity for enterprise: Critical severity. Risk is higher for user-facing enterprise endpoints and mail/document workflows that handle untrusted files; lower than a no-interaction network exploit because user interaction is required. - Patch status: available; customer action required. Affected systems: - Windows 10 1607 - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server 2025