PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32077 Microsoft CVE debrief

CVE-2026-32077 is a HIGH severity (CVSS 7.8) local privilege escalation vulnerability in Microsoft Windows Universal Plug and Play (UPnP) Device Host. The vulnerability stems from an untrusted pointer dereference (CWE-822), allowing an authorized attacker with local access to elevate privileges without user interaction. The attack surface is limited to local exploitation, but successful exploitation grants high impact across confidentiality, integrity, and availability. Microsoft has addressed this vulnerability through security updates, with specific patch versions documented for affected Windows 10, Windows 11, and Windows Server releases. The vulnerability was first published on April 14, 2026, with the NVD record last modified on May 26, 2026. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Microsoft
Product
Windows 10 Version 1607
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-14
Original CVE updated
2026-05-26
Advisory published
2026-04-14
Advisory updated
2026-05-26

Who should care

System administrators managing Windows endpoints and servers, security operations teams monitoring for privilege escalation activity, and organizations with shared workstation environments or remote desktop services where local user access is common.

Technical summary

The vulnerability exists in the Windows UPnP Device Host service (upnphost), which handles Universal Plug and Play device registration and management. An untrusted pointer dereference flaw allows a locally authenticated attacker to manipulate memory references and execute code with elevated privileges. The attack requires local access and low privileges but no user interaction, making it suitable for post-exploitation privilege escalation following initial compromise through other vectors. The vulnerability affects both client and server Windows editions, with patches available through Windows Update and Microsoft Update Catalog.

Defensive priority

HIGH

Recommended defensive actions

  • Apply Microsoft security updates to affected Windows systems, ensuring installation of builds at or above the specified patch versions for each OS release.
  • Prioritize patching on systems where UPnP Device Host service is enabled and where multiple users have local access, particularly multi-user workstations and terminal servers.
  • Consider disabling the UPnP Device Host service on systems where Universal Plug and Play functionality is not required, following organizational change management procedures.
  • Monitor for anomalous privilege escalation attempts through endpoint detection and response (EDR) solutions, focusing on processes interacting with upnphost.dll or the UPnP Device Host service.
  • Review local user accounts and restrict interactive logon privileges where possible to reduce the attack surface for local privilege escalation vulnerabilities.

Evidence notes

The vulnerability is classified as CWE-822 (Untrusted Pointer Dereference) per Microsoft's submission. CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Affected products span Windows 10 versions 1607 through 22H2, Windows 11 versions 23H2 through 26H1, Windows Server 2012/2012 R2, Windows Server 2016, 2019, 2022, 2022 23H2, and Windows Server 2025. Specific security update build numbers are documented in CPE criteria, including 10.0.14393.9060, 10.0.17763.8644, 10.0.19044.7184, 10.0.19045.7184, 10.0.22631.6936, 10.0.26100.8246, 10.0.26200.8246, 10.0.28000.1836, 10.0.20348.5020, 10.0.25398.2274, and 10.0.26100.32690.

Official resources

Microsoft disclosed this vulnerability on April 14, 2026, as part of its regular security update cycle. The NVD entry was subsequently modified on May 26, 2026, reflecting ongoing metadata updates. The vulnerability affects a core Windows系统