CVE-2026-32077 | THREATINT

Description

Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.

PUBLISHED Reserved 2026-03-10 | Published 2026-04-14 | Updated 2026-06-01 | Assigner microsoft

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Problem types

CWE-822: Untrusted Pointer Dereference

Product status

10.0.14393.0 (custom) before 10.0.14393.9060

affected

10.0.17763.0 (custom) before 10.0.17763.8644

affected

10.0.19044.0 (custom) before 10.0.19044.7184

affected

10.0.19045.0 (custom) before 10.0.19045.7184

affected

10.0.22631.0 (custom) before 10.0.22631.6936

affected

10.0.22631.0 (custom) before 10.0.22631.6936

affected

10.0.26100.0 (custom) before 10.0.26100.8246

affected

10.0.26200.0 (custom) before 10.0.26200.8246

affected

10.0.28000.0 (custom) before 10.0.28000.1836

affected

6.2.9200.0 (custom) before 6.2.9200.26026

affected

6.2.9200.0 (custom) before 6.2.9200.26026

affected

6.3.9600.0 (custom) before 6.3.9600.23132

affected

6.3.9600.0 (custom) before 6.3.9600.23132

affected

10.0.14393.0 (custom) before 10.0.14393.9060

affected

10.0.14393.0 (custom) before 10.0.14393.9060

affected

10.0.17763.0 (custom) before 10.0.17763.8644

affected

10.0.17763.0 (custom) before 10.0.17763.8644

affected

10.0.20348.0 (custom) before 10.0.20348.5020

affected

10.0.25398.0 (custom) before 10.0.25398.2274

affected

10.0.26100.0 (custom) before 10.0.26100.32690

affected

10.0.26100.0 (custom) before 10.0.26100.32690

affected

References

www.vicarius.io/...lege-vulnerability-affecting-windows-upnp

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32077 (Windows UPnP Device Host Elevation of Privilege Vulnerability) vendor-advisory patch

cve.org (CVE-2026-32077)

nvd.nist.gov (CVE-2026-32077)

Download JSON