PatchSiren cyber security CVE debrief
CVE-2025-26687 Microsoft CVE debrief
CVE-2025-26687 is a Microsoft-reported use-after-free issue in Windows Win32K - GRFX. Microsoft and NVD classify it as a high-severity flaw that can be abused by an unauthorized attacker to elevate privileges, with user interaction required. The NVD record also maps the issue to multiple Windows versions and some Microsoft Office CPEs, so administrators should verify exposure against Microsoft’s advisory rather than relying on product name alone.
- Vendor
- Microsoft
- Product
- Microsoft Office for Android
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-08
- Original CVE updated
- 2025-07-09
- Advisory published
- 2025-04-08
- Advisory updated
- 2025-07-09
Who should care
Windows administrators, Microsoft Office administrators, endpoint security teams, and patch managers responsible for the affected Windows and Office builds listed in the NVD record.
Technical summary
The official data describes a use-after-free condition in Windows Win32K - GRFX, mapped to CWE-416. NVD assigns CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, which indicates network-based attack potential, no privileges required, but user interaction required. The NVD CPE data marks several Microsoft Windows client and server releases as vulnerable, and also includes Microsoft Office and Office for Android entries with version ceilings. Because the vendor reference is Microsoft’s MSRC advisory, exact applicability should be confirmed there for the specific product build and patch level.
Defensive priority
High. The flaw is remotely reachable, requires no privileges, and can lead to full confidentiality, integrity, and availability impact if successfully exploited, but the need for user interaction and the absence of KEV listing in the supplied data make it a strong patch priority rather than an emergency response item.
Recommended defensive actions
- Apply the Microsoft security update referenced by the MSRC advisory for CVE-2025-26687.
- Verify whether your specific Windows and/or Office builds match the NVD-listed vulnerable CPE ranges before and after patching.
- Prioritize systems that process untrusted content or receive frequent user interaction, since user interaction is required by the CVSS vector.
- Monitor endpoints for anomalous privilege escalation behavior and post-patch stability issues after deployment.
- Use Microsoft’s advisory as the source of truth for exact product coverage, especially where NVD lists both Windows and Office CPEs.
Evidence notes
The NVD record identifies the vulnerability as analyzed, links to Microsoft’s MSRC advisory, and supplies the CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The weakness classification in the supplied Microsoft reference is CWE-416. The CVE was published on 2025-04-08 and last modified on 2025-07-09. No KEV entry is present in the supplied enrichment data. The supplied NVD CPE list includes multiple Windows client/server versions and Microsoft Office/Office for Android entries; treat product applicability as advisory-driven and confirm against MSRC.
Official resources
-
CVE-2025-26687 CVE record
CVE.org
-
CVE-2025-26687 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the official CVE/NVD record and Microsoft advisory on 2025-04-08; the CVE record was last modified on 2025-07-09. Not listed in the supplied KEV enrichment data.