Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45606

CVE-2026-45606: Microsoft UxTheme Library DoS Vulnerability

CVE-2026-45606 is an out-of-bounds read flaw in Microsoft UxTheme Library (uxtheme.dll) that enables authorized attackers to deny service locally. This article covers the technical details, impact, and mitigation.

Published:

CVE-2026-45606 Overview

CVE-2026-45606 is an out-of-bounds read vulnerability in the Microsoft UxTheme Library (uxtheme.dll). The flaw allows an authorized local attacker to trigger a denial-of-service condition on an affected Windows system. Microsoft documents the issue in its security update guide, and the National Vulnerability Database tracks it under CWE-125: Out-of-bounds Read.

The vulnerability requires local access with low privileges and no user interaction. Successful exploitation impacts availability but does not expose confidentiality or integrity. The EPSS probability is 0.051%, placing it in the 16.3 percentile for likelihood of exploitation.

Critical Impact

A local, authenticated attacker can crash or disrupt the UxTheme component, causing a denial of service on the targeted Windows host.

Affected Products

Discovery Timeline

  • 2026-06-09 - CVE-2026-45606 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-45606

Vulnerability Analysis

The vulnerability resides in uxtheme.dll, the Windows component responsible for rendering visual styles and themed UI elements. An out-of-bounds read [CWE-125] occurs when the library accesses memory outside the bounds of an allocated buffer. The malformed read leads to a process crash and a loss of availability for the affected service or user session.

The attack vector is local and requires the attacker to hold a valid set of low-privilege credentials on the target system. No user interaction is required to trigger the condition. The impact is limited to availability, meaning the flaw does not directly leak memory contents to the attacker or permit code execution.

Because uxtheme.dll is loaded by a wide range of Windows graphical processes, a successful trigger can disrupt interactive sessions or services that depend on theme APIs. The bug class is consistent with parser-level boundary mistakes in theme data structures, where insufficient length validation allows a read past an allocated region.

Root Cause

The root cause is missing or incorrect bounds validation when uxtheme.dll parses or processes theme-related data. The code path dereferences an index or pointer beyond the end of the source buffer. Microsoft has not publicly disclosed the exact function or data structure involved.

Attack Vector

An authenticated local attacker supplies crafted input to an API or interface exposed by the UxTheme library. The library performs an unbounded read against the attacker-controlled structure and faults, terminating the host process. No remote attack path is documented for this CVE. Technical details are available in the Microsoft Security Update Guide.

Detection Methods for CVE-2026-45606

Indicators of Compromise

  • Unexpected crashes of Windows processes that load uxtheme.dll, recorded in the Application event log with faulting module uxtheme.dll
  • Windows Error Reporting (WER) entries referencing access violations in uxtheme.dll
  • Repeated user-mode process terminations originating from a single low-privileged user account

Detection Strategies

  • Monitor Event ID 1000 (Application Error) for crashing modules matching uxtheme.dll
  • Correlate crash events with the executing user context to identify abuse by low-privilege accounts
  • Use endpoint telemetry to identify processes invoking UxTheme APIs with anomalous or malformed arguments

Monitoring Recommendations

  • Forward Windows application and WER logs to a centralized log platform for retention and analytics
  • Establish a baseline for normal uxtheme.dll crash frequency and alert on deviations
  • Track patch compliance for Windows hosts against the latest cumulative update referenced in the Microsoft advisory

How to Mitigate CVE-2026-45606

Immediate Actions Required

  • Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-45606 to all affected Windows systems
  • Prioritize patching on multi-user systems such as Remote Desktop Session Hosts and shared workstations where local users are present
  • Restrict interactive logon rights to trusted accounts on sensitive hosts until patches are deployed

Patch Information

Microsoft has published the fix through its standard security update channel. Administrators should consult the Microsoft Security Update Guide entry for CVE-2026-45606 for the specific KB articles and build numbers that address the vulnerability on each supported Windows release.

Workarounds

  • No vendor-supplied workaround is documented; patching is the supported remediation
  • Reduce exposure by limiting which low-privilege users can log on locally to critical hosts
  • Monitor for repeated process crashes and isolate hosts that exhibit signs of active abuse

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne