MEDIUM 5.5

CVE-2026-45606: Out-of-Bounds Read in Microsoft UxTheme Library (uxtheme.dll)

A flaw in Microsoft's UxTheme Library (uxtheme.dll) can be exploited by a user with local access to cause a denial of service. The vulnerability stems from reading data outside the bounds of allocated memory. An attacker would need existing login credentials or physical access to the machine to trigger the issue, which could crash or hang the affected application, disrupting work but not exposing sensitive data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Out-of-bounds read in Microsoft UxTheme Library (uxtheme.dll) allows an authorized attacker to deny service locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45606 is an out-of-bounds read vulnerability in uxtheme.dll, the Windows theme engine library, classified as CWE-125. The defect allows an authenticated local attacker to read memory beyond the intended buffer boundaries, leading to denial of service via application crash or unresponsive state. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects that attack complexity is low, authentication is required, and the primary impact is availability loss with no confidentiality or integrity risk.

Business impact

Organizations running affected Windows versions face operational disruption if an authorized user (or insider) exploits this locally to crash theming service or dependent applications. Since no data exfiltration is possible, the risk is primarily business continuity—service interruptions, support overhead, and potential system restarts. The threat is lower than remote code execution or data theft vulnerabilities, but still warrants attention in environments with untrusted local users or high availability requirements.

Affected systems

The vulnerability affects Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2012, 2016, 2019, 2022, and 2025. Nearly the full breadth of modern Windows deployments is in scope, making patches broadly applicable across enterprise estates.

Exploitability

Exploitability is limited by two key factors: the attacker must possess local system access (authenticated user or physical proximity) and must craft or discover a specific trigger—no public exploit is documented, and the CVSS 'low complexity' rating indicates the attack path is straightforward once authenticated, but not trivial from the internet. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting real-world exploitation has not yet been reported.

Remediation

Microsoft has issued patches addressing this vulnerability. Organizations should apply the latest cumulative security updates for their Windows versions through Windows Update or the Microsoft Update Catalog. Administrators should verify patch deployment against the official vendor advisory to confirm applicable build numbers for each OS version.

Patch guidance

Obtain and deploy the latest cumulative security update from Microsoft for your Windows version. Consult the Microsoft Security Update Guide and official advisories for the specific KB article numbers and revised build versions. Test patches in a non-production environment before broad rollout, particularly if your environment relies heavily on theming or custom UI elements. Schedule updates to minimize user disruption.

Detection guidance

Monitor for unexpected terminations or hangs of processes that load uxtheme.dll (including Explorer, desktop applications, and system services). Implement application event log monitoring for crashes referencing uxtheme.dll. Endpoint detection and response (EDR) solutions should alert on suspicious local process execution patterns that might precede an exploitation attempt. Validate that least-privilege access controls are in place to reduce the population of authenticated local users.

Why prioritize this

While this is a medium-severity vulnerability requiring local authentication, the breadth of affected Windows versions (spanning Windows 10, 11, and Server 2016 through 2025) necessitates organization-wide patch planning. The absence of KEV listing and public exploits suggests a lower immediate threat, but the low attack complexity and guaranteed availability impact make it a reasonable early-stage priority in normal patch cycles. Organizations with strict availability requirements or untrusted user populations should prioritize higher.

Risk score, explained

The CVSS 5.5 score reflects moderate risk: local access is a significant gating factor, but once authenticated, exploitation is trivial to execute and guarantees denial of service. The score appropriately penalizes the lack of confidentiality or integrity impact, but the widespread affected product range and ease of exploitation keep it above 'low' severity. Real-world risk depends on your authentication controls and tolerance for application downtime.

Frequently asked questions

Do I need to be an administrator to trigger this vulnerability?

No. The CVSS vector indicates 'PR:L' (low privilege required), meaning a standard authenticated user can exploit it. However, you must have local access to the system—this is not remotely exploitable.

Can an attacker steal data or install malware using this flaw?

No. The out-of-bounds read causes denial of service only; there is no path to code execution, data exfiltration, or persistence. The impact is limited to crashing or hanging the affected application or service.

Why isn't this on the CISA KEV list if it affects so many Windows versions?

The vulnerability was published in June 2026 and has not been added to CISA's Known Exploited Vulnerabilities catalog, which typically tracks flaws actively exploited in the wild. The absence suggests limited real-world weaponization to date, though organizations should not rely on KEV status alone for prioritization.

Can I work around this without patching?

No reliable workaround exists. The best interim controls are enforcing least-privilege local access, disabling unnecessary user accounts, and monitoring for suspicious application crashes. Patching is the only proper remediation.

This analysis is based on published vulnerability data current as of the stated CVE publication date. Patch version numbers and specific KB articles should be verified against the official Microsoft Security Update Guide before deployment. Organizations should conduct their own risk assessment based on their unique environment, access controls, and business requirements. This explainer is provided for informational purposes and does not constitute professional security advice or a formal vulnerability assessment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).