CVE-2026-57094 is a Microsoft Windows Media Foundation remote code execution vulnerability caused by a heap-based buffer overflow. Microsoft rates it CVSS v3.1 base 8.8 (HIGH) with a temporal score of 7.7; the attack vector is NETWORK, attack complexity is LOW, privileges required are NONE, but user interaction is REQUIRED. The impact is high for confidentiality, integrity, and availability. Microsoft says it has not been publicly disclosed or exploited, exploit code maturity is UNPROVEN, and customer action is required. The FAQ states the attack requires a user to open a specially crafted file from the attacker, which makes this more consistent with phishing or malicious-file delivery than a fully remote no-interaction network exploit. For enterprise environments, this is still a high-severity issue, but the required user interaction lowers the risk compared with network-only, no-click RCEs. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; network vector with LOW attack complexity, NO privileges required, but USER INTERACTION REQUIRED. - Severity for enterprise: High severity. Network-delivered malicious files can affect users, but the required interaction reduces exposure compared with unattended network services. - Patch status: available Affected systems: - Windows 10 1607 - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server 2025