SB2026071705 - Multiple vulnerabilities in Microsoft Windows
Published: July 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 220 vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2026-49164)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Active Directory Domain Services when handling network requests. A remote attacker can send specially crafted requests to execute arbitrary code.
Successful exploitation requires additional actions to prepare the target environment.
2) Use-after-free (CVE-ID: CVE-2026-49169)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute code.
The vulnerability exists due to use-after-free in DNS Server when handling network requests. A remote user can send specially crafted requests to execute code.
3) Improper access control (CVE-ID: CVE-2026-49170)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Windows StateRepository API when handling local API requests. A local user can invoke the vulnerable API to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
4) Missing Authentication for Critical Function (CVE-ID: CVE-2026-49174)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform tampering.
The vulnerability exists due to improper access control in Windows DNS when invoking a critical function. A local user can invoke the vulnerable function to perform tampering.
5) Use-after-free (CVE-ID: CVE-2026-54129)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Hyper-V when handling crafted operations. A local user can trigger the flaw to escalate privileges.
6) Use-after-free (CVE-ID: CVE-2026-54989)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in the Quality Windows Audio/Video Experience (QWAVE) service when handling local requests. A local user can trigger the use-after-free condition to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
7) Heap-based buffer overflow (CVE-ID: CVE-2026-54990)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Remote Desktop Client when handling responses from a malicious RDP server. A remote attacker can send specially crafted responses to execute arbitrary code.
User interaction is required to establish a connection to a malicious RDP server.
8) Race condition (CVE-ID: CVE-2026-54111)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to concurrent execution using shared resource with improper synchronization in Windows USB Print Driver when handling concurrent operations on a shared resource. A local user can trigger a race condition to elevate privileges.
The issue can also result in kernel memory read from a user mode process.
9) Race condition (CVE-ID: CVE-2026-54107)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to concurrent execution using a shared resource with improper synchronization in Windows Win32K when handling concurrent operations on shared resources. A local user can trigger a race condition to escalate privileges.
10) Heap-based buffer overflow (CVE-ID: CVE-2026-54986)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Win32K when handling crafted local input. A local user can trigger the overflow to escalate privileges.
Successful exploitation could allow access to SYSTEM privileges.
11) Improper Certificate Validation (CVE-ID: CVE-2026-55001)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper certificate validation in Windows Active Directory when validating certificates. A local user can present a certificate that is improperly validated to escalate privileges.
Successful exploitation could lead to administrator privileges.
12) Race condition (CVE-ID: CVE-2026-54112)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K when handling concurrent operations on shared resources. A local user can trigger a race condition to elevate privileges.
13) Integer underflow (CVE-ID: CVE-2026-54982)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to integer underflow in Reliable Multicast Transport Driver (RMCAST) when processing network traffic on the same network segment. A remote attacker can send specially crafted network traffic to execute arbitrary code.
The attack is limited to systems on the same network segment as the attacker.
14) Use-after-free (CVE-ID: CVE-2026-54114)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Win32K when handling crafted local operations. A local user can trigger the use-after-free condition to escalate privileges.
15) Infinite loop (CVE-ID: CVE-2026-54119)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in Windows Active Directory when handling network requests. A remote attacker can send a specially crafted request to cause a denial of service.
16) Use-after-free (CVE-ID: CVE-2026-54995)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Reliable Multicast Transport Driver (RMCAST) when handling network traffic. A remote attacker can send crafted network data to execute arbitrary code.
17) Heap-based buffer overflow (CVE-ID: CVE-2026-54122)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows GDI+ when processing crafted content delivered via a malicious link or email. A remote attacker can send a specially crafted email or malicious link to execute arbitrary code.
User interaction may be required in some attack scenarios, but the highest-risk scenario does not require the victim to open, read, or click the link.
18) Missing Required Cryptographic Step (CVE-ID: CVE-2026-55144)
CWE-ID: CWE-325 - Missing Required Cryptographic Step
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform tampering.
The vulnerability exists due to a missing cryptographic step in Windows CryptoAPI when processing cryptographic operations locally. A local user can invoke the vulnerable functionality to perform tampering.
19) Use-after-free (CVE-ID: CVE-2026-50694)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Windows Secure Socket Tunneling Protocol (SSTP) when handling SSTP packets. A remote attacker can send a specially crafted malicious SSTP packet to execute arbitrary code.
20) Use-after-free (CVE-ID: CVE-2026-54127)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to escalate privileges.
The vulnerability exists due to use-after-free in Windows Hyper-V when handling local operations. A local attacker can trigger the flaw to escalate privileges.
21) Untrusted search path (CVE-ID: CVE-2026-57097)
CWE-ID: CWE-426 - Untrusted Search Path
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker with physical access to bypass a security feature.
The vulnerability exists due to untrusted search path in Microsoft XML when loading resources from the search path. An attacker with physical access can place a crafted file in a searched location to bypass a security feature.
22) NULL pointer dereference (CVE-ID: CVE-2026-57976)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in Active Directory Domain Services when handling network requests. A remote user can send a specially crafted request to cause a denial of service.
23) Use-after-free (CVE-ID: CVE-2026-58608)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to a use-after-free in Windows Print Spooler Components when handling crafted interactions with the print spooler service. A remote user can create and close a printer handle without properly invalidating a related notification handle to execute arbitrary code.
24) Out-of-bounds read (CVE-ID: CVE-2026-58609)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds read in Microsoft Graphics Component when parsing input. A local attacker can trigger the vulnerable component with crafted input to execute arbitrary code.
25) Command injection (CVE-ID: CVE-2026-58635)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to command injection in Windows Narrator Braille when processing special elements used in a command. A local user can inject crafted command elements to escalate privileges.
Successful exploitation can execute code in the security context of the NT AUTHORITY\Network Service account.
26) Heap-based buffer overflow (CVE-ID: CVE-2026-58640)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A local user can trigger the flaw to execute arbitrary code.
27) Information disclosure (CVE-ID: CVE-2026-34328)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Windows Audio Service when exposing service memory information locally. A local user can access memory address information belonging to the EventLog Windows service to disclose sensitive information.
The disclosed information is limited to memory addresses belonging to the EventLog Windows service.
28) Path traversal (CVE-ID: CVE-2026-40400)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to path traversal in Windows PowerShell when processing a crafted link path over the network. A remote attacker can cause an authenticated client to click a crafted link to execute arbitrary code.
User interaction is required, and exploitation depends on an authenticated client clicking a link.
29) Protection mechanism failure (CVE-ID: CVE-2026-34348)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to protection mechanism failure in Windows Event Logging Service when handling network requests. A remote user can send crafted requests to disclose sensitive information.
The disclosed information is limited to small portions of heap memory.
30) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-44806)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to missing release of memory after effective lifetime in Windows Cryptographic Services when handling network requests. A remote attacker can send a specially crafted request to cause a denial of service.
31) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-40378)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in Windows Local Security Authority Subsystem Service (LSASS) when handling network requests. A remote attacker can send a specially crafted request to cause a denial of service.
32) Race condition (CVE-ID: CVE-2026-44800)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a race condition in Windows Push Notifications when performing concurrent execution using a shared resource. A local user can trigger concurrent operations to escalate privileges.
Successful exploitation requires winning a race condition and could result in gaining SYSTEM privileges and escaping a contained execution environment.
33) Heap-based buffer overflow (CVE-ID: CVE-2026-49178)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in the NSPI RPC interface in Active Directory Domain Services when processing crafted inputs. A remote user can send crafted RPC inputs to execute arbitrary code.
Exploitation requires domain authentication and does not require user interaction.
34) Link following (CVE-ID: CVE-2026-49180)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) when accessing files. A local user can leverage a crafted link to disclose sensitive information.
The disclosed information is limited to file content.
35) Integer underflow (CVE-ID: CVE-2026-49181)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to integer underflow in Windows DHCP Client when handling network traffic. A remote attacker can send specially crafted network traffic to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
36) Heap-based buffer overflow (CVE-ID: CVE-2026-49184)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A remote attacker can trigger the flaw to execute arbitrary code.
37) Race condition (CVE-ID: CVE-2026-49183)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper synchronization in Windows Clipboard Server when concurrently accessing a shared resource. A local user can win a race condition to escalate privileges.
Successful exploitation requires winning a race condition and may result in SYSTEM privileges.
38) Improper access control (CVE-ID: CVE-2026-49783)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass a security feature.
The vulnerability exists due to improper access control in Windows Secure Boot when performing security checks for standard boot conditions. A local user can exploit the flawed security check to bypass a security feature.
The vulnerability could allow Secure Boot to be bypassed.
39) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-49787)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in HTTP.sys when handling network requests. A remote attacker can send crafted requests to cause a denial of service.
40) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-49788)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in HTTP/2 when handling network requests. A remote attacker can send crafted HTTP/2 traffic to cause a denial of service.
41) Stack-based buffer overflow (CVE-ID: CVE-2026-49789)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to stack-based buffer overflow in Windows NTFS when parsing input. A local user can trigger the flaw to escalate privileges.
42) Improper access control (CVE-ID: CVE-2026-49790)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in the Windows Universal Disk Format File System Driver (UDFS) when handling local file system operations. A local user can trigger the vulnerable driver behavior to escalate privileges.
43) Link following (CVE-ID: CVE-2026-49791)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper link resolution before file access in Windows Routing and Remote Access Service (RRAS) when accessing files through links. A local user can exploit link following to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
44) Heap-based buffer overflow (CVE-ID: CVE-2026-49796)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows GDI+ when processing crafted content locally. A local user can execute crafted code on the local system to execute arbitrary code.
The issue is described as remote code execution in the title, but exploitation occurs locally.
45) Heap-based buffer overflow (CVE-ID: CVE-2026-49797)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A local attacker can trigger the flaw to execute arbitrary code.
46) Resource exhaustion (CVE-ID: CVE-2026-49799)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) when handling network requests. A remote user can send crafted requests to cause a denial of service.
47) Integer underflow (CVE-ID: CVE-2026-50308)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to integer underflow in Windows NTFS when parsing input. A local attacker can trigger the flaw to execute arbitrary code.
48) Improper access control (CVE-ID: CVE-2026-50311)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Windows Server when handling local access to the vulnerable functionality. A local user can leverage authorized access to escalate privileges.
49) Heap-based buffer overflow (CVE-ID: CVE-2026-49804)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to elevate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows USB Video Driver when processing USB video input. An attacker with physical access can provide a specially crafted physical device to elevate privileges.
50) Missing Authentication for Critical Function (CVE-ID: CVE-2026-50333)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Windows Spaceport.sys when invoking a critical function locally. A local user can invoke the vulnerable function to escalate privileges.
Successful exploitation could allow access to SYSTEM privileges.
51) Improper access control (CVE-ID: CVE-2026-49805)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Windows Win32K when handling local access to privileged functionality. A local user can exploit the access control weakness to escalate privileges.
Successful exploitation can lead to SYSTEM privileges. Exploitation requires preparing the target environment to improve reliability.
52) Race condition (CVE-ID: CVE-2026-49803)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a race condition in Windows AppX Deployment Service when performing concurrent execution using shared resources. A local user can trigger concurrent operations to escalate privileges.
Successful exploitation requires winning a race condition and may result in SYSTEM privileges.
53) Improper access control (CVE-ID: CVE-2026-50351)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Windows Audio Compression Manager (ACM) when handling local access to the component. A local user can leverage authorized access to escalate privileges.
54) Information disclosure (CVE-ID: CVE-2026-49807)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in Windows DirectX when handling local access to the component. A local attacker can access the vulnerable component to disclose sensitive information.
55) Integer overflow (CVE-ID: CVE-2026-50298)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to escalate privileges.
The vulnerability exists due to integer overflow or wraparound in Windows Spaceport.sys when processing crafted input through physical access to the system. An attacker with physical access can trigger the flaw to escalate privileges.
Successful exploitation could allow the attacker to obtain SYSTEM privileges.
56) Use-after-free (CVE-ID: CVE-2026-50293)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Internal Task Bar when handling crafted local interactions. A local user can trigger the use-after-free condition to escalate privileges.
57) Improper access control (CVE-ID: CVE-2026-50297)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Windows Win32K when handling local access to Win32K functionality. A local user can exploit the access control flaw to escalate privileges.
Successful exploitation could grant SYSTEM privileges. Exploitation requires preparation of the target environment to improve reliability.
58) Improper access control (CVE-ID: CVE-2026-50325)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Windows Win32K when handling local operations. A local user can exploit the access control flaw to escalate privileges.
Successful exploitation requires preparation of the target environment to improve exploit reliability.
59) Race condition (CVE-ID: CVE-2026-50384)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to concurrent execution using shared resource with improper synchronization in Windows Clip Service when handling concurrent operations. A local user can win a race condition to escalate privileges.
A successful exploit grants the rights of the user running the affected application.
60) Improper privilege management (CVE-ID: CVE-2026-50295)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass Zero Trust DNS policy enforcement.
The vulnerability exists due to improper privilege management in Windows DNS when enforcing Zero Trust DNS policies locally. A local user can exploit the privilege management flaw to bypass Zero Trust DNS policy enforcement.
61) Improper access control (CVE-ID: CVE-2026-50350)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Windows Trusted Runtime Interface Driver when handling requests from a lower integrity caller process. A local user can trigger the driver to disclose the address of a medium integrity process to disclose sensitive information.
The disclosed information is the address of a medium integrity process leaked to a lower integrity caller process.
62) Type Confusion (CVE-ID: CVE-2026-50381)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to type confusion in Composite Image File System Driver (cimfs.sys) when accessing a resource using an incompatible type. A local user can trigger the flaw to disclose sensitive information.
The disclosed information is limited to file metadata.
63) Integer underflow (CVE-ID: CVE-2026-50300)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to integer underflow in Windows Kernel when handling crafted local operations. A local user can trigger the integer underflow to disclose sensitive information.
An attacker who successfully exploits this vulnerability could read small portions of heap memory.
64) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-50303)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass the authentication feature.
The vulnerability exists due to use of a cryptographic primitive with a risky implementation in Windows Key Guard when processing authentication operations. A local user can exploit the flawed cryptographic implementation to bypass the authentication feature.
This vulnerability can enable impersonation.
65) Use-after-free (CVE-ID: CVE-2026-50329)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Kernel when handling crafted local actions. A local user can trigger the use-after-free condition to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
66) Heap-based buffer overflow (CVE-ID: CVE-2026-50363)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Push Notifications when processing input. A local user can trigger the heap-based buffer overflow to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
67) Stack-based buffer overflow (CVE-ID: CVE-2026-50412)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to stack-based buffer overflow in Windows NTFS when parsing input. A local user can trigger the flaw to escalate privileges.
68) Type conversion (CVE-ID: CVE-2026-50337)
CWE-ID: CWE-704 - Type conversion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to incorrect type conversion or cast in Windows Notification when handling local input. A local user can trigger the flawed type conversion to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
69) Heap-based buffer overflow (CVE-ID: CVE-2026-50386)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A local attacker can trigger the flaw to execute arbitrary code.
70) Heap-based buffer overflow (CVE-ID: CVE-2026-50309)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A local user can trigger the flaw to execute arbitrary code.
71) Use-after-free (CVE-ID: CVE-2026-50326)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Unified Consent System when handling user interactions. A local user can trigger the flaw to escalate privileges.
72) Heap-based buffer overflow (CVE-ID: CVE-2026-50313)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing crafted input locally. A remote attacker can trigger the flaw to execute arbitrary code.
73) Race condition (CVE-ID: CVE-2026-50440)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to concurrent execution using a shared resource with improper synchronization in Windows Audio Service when handling concurrent operations locally. A local user can trigger a race condition to escalate privileges.
74) Heap-based buffer overflow (CVE-ID: CVE-2026-50380)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows GDI+ when rendering a specially crafted EMF+ file containing a malicious image record. A remote attacker can trick a user into opening or processing a crafted file to execute arbitrary code.
User interaction is required to open or process the crafted file.
75) Out-of-bounds read (CVE-ID: CVE-2026-50341)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows NTFS when parsing file system data. A local user can trigger the vulnerable code path to disclose sensitive information.
Exploitation could allow disclosure of certain kernel memory content.
76) Use-after-free (CVE-ID: CVE-2026-50331)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to use-after-free in Windows Application Model when handling crafted local actions. A local user can trigger the flaw to elevate privileges.
Successful exploitation could lead to SYSTEM privileges.
77) Improper privilege management (CVE-ID: CVE-2026-50343)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in Microsoft Install Service when handling local operations. A local user can leverage the service to escalate privileges.
Successful exploitation can result in SYSTEM privileges.
78) Heap-based buffer overflow (CVE-ID: CVE-2026-50347)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows Data.dll when parsing input. A local user can execute code on the local machine to execute arbitrary code.
79) Race condition (CVE-ID: CVE-2026-50321)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a race condition in Windows USB Driver when accessing shared resources concurrently. A local user can trigger concurrent execution to escalate privileges.
80) Use-after-free (CVE-ID: CVE-2026-50425)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Internal System User Profile when handling user profile operations. A local user can trigger the use-after-free condition to escalate privileges.
81) NULL pointer dereference (CVE-ID: CVE-2026-50315)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a null pointer dereference in Windows Image Acquisition when processing crafted local input. A local user can trigger the flaw to escalate privileges.
Successful exploitation could elevate privileges from Medium Integrity Level to Local Service or SYSTEM.
82) Information disclosure (CVE-ID: CVE-2026-50434)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Windows Push Notifications when exposing process address information to a lower integrity caller process. A local user can access Windows Push Notifications to disclose sensitive information.
Successful exploitation could leak the address of a medium integrity process to a lower integrity caller process.
83) Information disclosure (CVE-ID: CVE-2026-50339)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Windows Push Notifications when exposing process address information to a lower integrity caller process. A local user can access medium integrity process address information to disclose sensitive information.
Successful exploitation could leak the address of a medium integrity process to a lower integrity caller process.
84) Information disclosure (CVE-ID: CVE-2026-50430)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Windows Push Notifications when exposing process address information to a lower integrity caller process. A local user can access the vulnerable functionality to disclose sensitive information.
Successful exploitation could leak the address of a medium integrity process to a lower integrity caller process.
85) Integer overflow (CVE-ID: CVE-2026-50310)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to integer overflow or wraparound in Windows Devices Human Interface when processing crafted input locally. A local user can trigger the flaw to disclose sensitive information.
Successful exploitation requires additional actions to prepare the target environment and may disclose kernel memory addresses.
86) Heap-based buffer overflow (CVE-ID: CVE-2026-50330)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Remote Desktop Client when handling network connections. A remote attacker can send crafted network data to escalate privileges.
87) Improper access control (CVE-ID: CVE-2026-50335)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Windows Operating Systems when accessing vulnerable resources locally. A local user can leverage authorized local access to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
88) Race condition (CVE-ID: CVE-2026-50317)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a race condition in Windows Operating Systems when concurrently accessing shared resources. A local user can trigger concurrent execution to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
89) NULL pointer dereference (CVE-ID: CVE-2026-50366)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to null pointer dereference in Active Directory Domain Services when handling network requests. A remote user can send a specially crafted request to cause a denial of service.
90) Information disclosure (CVE-ID: CVE-2026-50416)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in Win32K when handling local operations. A local user can exploit the issue to disclose sensitive information.
An attacker who successfully exploits this vulnerability could read small portions of heap memory.
91) Improper access control (CVE-ID: CVE-2026-50373)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Microsoft Windows Search Component when handling local access to the affected application. A local user can exploit the access control weakness to escalate privileges.
The attacker would gain the rights of the user that is running the affected application.
92) Out-of-bounds read (CVE-ID: CVE-2026-50388)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to out-of-bounds read in Windows NTFS when parsing crafted NTFS data. A local user can supply crafted NTFS data to execute arbitrary code.
93) Improper privilege management (CVE-ID: CVE-2026-50391)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in Windows Group Policy when applying group policy settings. A local user can exploit the flaw to escalate privileges.
Successful exploitation can result in SYSTEM privileges.
94) Improper access control (CVE-ID: CVE-2026-50418)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to bypass an authentication feature and disclose sensitive information.
The vulnerability exists due to improper access control in Windows System when handling local access to the system. A local attacker can exploit the access control weakness to bypass an authentication feature and disclose sensitive information.
The vulnerability allows impersonation and could also enable modification of disclosed information.
95) Race condition (CVE-ID: CVE-2026-50378)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to concurrent execution using a shared resource with improper synchronization in Windows Key Guard when handling local operations. A local user can win a race condition to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
96) Out-of-bounds read (CVE-ID: CVE-2026-50401)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows Cloud Files Mini Filter Driver when parsing input. A local user can trigger the vulnerable driver behavior to disclose sensitive information.
Exploitation could disclose certain kernel memory content.
97) Improper Authorization (CVE-ID: CVE-2026-50346)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper authorization in RPC Runtime when handling RPC requests. A local user can send a specially crafted RPC request to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
98) Use of uninitialized resource (CVE-ID: CVE-2026-50376)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in Windows RDP when handling remote desktop connections with remote audio playback and recording enabled. A remote attacker can operate a malicious server to disclose sensitive information.
User interaction is required: a victim user on the client must enable Remote Audio Playback and Recording and connect to the malicious server.
99) Insufficient Granularity of Access Control (CVE-ID: CVE-2026-50405)
CWE-ID: CWE-1220 - Insufficient Granularity of Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to insufficient granularity of access control in Windows Filtering Platform (WFP) when handling local access to filtering platform resources. A local user can leverage the access control weakness to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
100) Heap-based buffer overflow (CVE-ID: CVE-2026-50448)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when mounting a crafted .vhd file. A remote attacker can trick a victim into mounting a crafted .vhd file to execute arbitrary code.
User interaction is required to mount a .vhd file.
101) Stack-based buffer overflow (CVE-ID: CVE-2026-50387)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to stack-based buffer overflow in Windows GDI when parsing input. A local user can trigger the flaw to escalate privileges.
Successful exploitation could allow the attacker to gain SYSTEM privileges.
102) Improper access control (CVE-ID: CVE-2026-50334)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Windows Notification when handling local requests. A local user can access exposed notification-related information to disclose sensitive information.
Successful exploitation could leak the address of a medium integrity process to a lower integrity caller process.
103) Improper Authorization (CVE-ID: CVE-2026-50344)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper authorization in Windows OLE when handling local access to the component. A local user can exploit the authorization weakness to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
104) Out-of-bounds read (CVE-ID: CVE-2026-50437)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows DWM Core Library when parsing input. A local user can trigger the out-of-bounds read to disclose sensitive information.
An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.
105) Heap-based buffer overflow (CVE-ID: CVE-2026-50471)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when mounting a crafted .vhd file. A remote attacker can trick the victim into mounting a crafted .vhd file to execute arbitrary code.
User interaction is required to mount the crafted .vhd file.
106) Use-after-free (CVE-ID: CVE-2026-50369)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to elevate privileges.
The vulnerability exists due to use-after-free in Windows Remote Desktop Services when handling a remote connection and manipulating memory allocation size through integer overflow. A remote user can perform a remote connection to a vulnerable machine and manipulate the size of memory allocation to elevate privileges.
Successful exploitation could allow the attacker to gain SYSTEM privileges.
107) Link following (CVE-ID: CVE-2026-50469)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper link resolution before file access ('link following') in Windows Projected File System when accessing files. A local user can create or manipulate links to escalate privileges.
A successful exploit would allow deletion of arbitrary system files.
108) Path traversal (CVE-ID: CVE-2026-50454)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to relative path traversal in Windows User Interface Core when handling local file paths. A local user can manipulate path input to elevate privileges.
Successful exploitation could allow deletion of arbitrary system files and lead to SYSTEM privileges.
109) Improper Authentication (CVE-ID: CVE-2026-50365)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper authentication in Windows RPC API when a user actively connects to the affected server and runs a specific command. A remote attacker can send a specially crafted command over an adjacent network to escalate privileges.
Successful exploitation could result in SYSTEM privileges. User interaction is required to connect to the server and run the command.
110) Relative Path Traversal (CVE-ID: CVE-2026-50426)
CWE-ID: CWE-23 - Relative Path Traversal
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote privileged user to execute code.
The vulnerability exists due to relative path traversal in DNS Server when processing crafted path input over an adjacent network. A remote privileged user can supply a crafted relative path to execute code.
Exploitation is limited to systems on the same network segment, such as the same network switch or virtual network.
111) Use-after-free (CVE-ID: CVE-2026-50427)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Content Delivery Manager when processing crafted local input. A local user can trigger the vulnerable condition to escalate privileges.
Successful exploitation could elevate privileges from a low integrity level to a medium integrity level.
112) Out-of-bounds read (CVE-ID: CVE-2026-50422)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to out-of-bounds read in Windows NTFS when parsing crafted file system metadata. A local user can trigger the flaw to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
113) Type Confusion (CVE-ID: CVE-2026-50421)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to type confusion in Windows Connected User Experiences and Telemetry when accessing a resource using an incompatible type. A local user can trigger the type confusion to escalate privileges.
Successful exploitation could allow the attacker to gain SYSTEM privileges.
114) Use-after-free (CVE-ID: CVE-2026-50374)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker with physical access to elevate privileges.
The vulnerability exists due to use-after-free in Windows Cloud Files Mini Filter Driver when processing local input. An attacker with physical access can trigger the use-after-free condition to elevate privileges.
Successful exploitation could allow the attacker to gain SYSTEM privileges.
115) Improper Validation of Array Index (CVE-ID: CVE-2026-50367)
CWE-ID: CWE-129 - Improper Validation of Array Index
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access of indexable resource in Windows Sensor Data Service when accessing an indexable resource. A local user can trigger a range error to escalate privileges.
116) Out-of-bounds read (CVE-ID: CVE-2026-50383)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows Print Spooler Components when parsing input. A local user can trigger a buffer over-read to disclose sensitive information.
The disclosed information may include unauthorized file system access data, including reading from the file system.
117) Missing Authentication for Critical Function (CVE-ID: CVE-2026-50451)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to missing authentication for a critical function in Windows Routing and Remote Access Service (RRAS) when invoking a critical function locally. A local user can access the affected functionality to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
118) Use of uninitialized resource (CVE-ID: CVE-2026-50455)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in upnp.dll when handling local access to files through the UPnP Device Host Service. A local user can access files readable by the service to disclose sensitive information.
The exposed data may include restricted system files or configuration data accessible to the service running under the LOCAL SERVICE account.
119) Incorrect Conversion between Numeric Types (CVE-ID: CVE-2026-50402)
CWE-ID: CWE-681 - Incorrect Conversion between Numeric Types
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to incorrect conversion between numeric types in Windows NTFS when processing crafted local input. A local user can trigger the flaw to elevate privileges.
120) Use-after-free (CVE-ID: CVE-2026-50432)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to use-after-free in Windows Virtual Filtering Platform (VFP) when handling network traffic. A remote user can trigger the use-after-free condition to cause a denial of service.
121) Heap-based buffer overflow (CVE-ID: CVE-2026-50461)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when mounting a crafted .vhd file. A remote attacker can trick the victim into mounting a specially crafted .vhd file to execute arbitrary code.
User interaction is required to mount the crafted .vhd file.
122) Information disclosure (CVE-ID: CVE-2026-50431)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an information disclosure issue in Windows Quality of Service (QoS) Packet Scheduler when handling network traffic. A remote attacker can send crafted traffic to disclose sensitive information.
The issue can disclose certain kernel memory addresses, which could aid further attacks.
123) Heap-based buffer overflow (CVE-ID: CVE-2026-50417)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A local user can trigger the flaw to execute code.
124) Heap-based buffer overflow (CVE-ID: CVE-2026-50447)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows Message Queuing Service (MSMQ) when processing a specially crafted request containing a maliciously formed domain name. A remote attacker can send a specially crafted request to execute arbitrary code.
125) Out-of-bounds read (CVE-ID: CVE-2026-50420)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in HTTP.sys when processing requests locally. A local attacker can trigger the vulnerable code path to disclose sensitive information.
126) Use-after-free (CVE-ID: CVE-2026-50474)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Remote Desktop Client when handling network connections. A remote attacker can send specially crafted network traffic to execute arbitrary code.
127) Untrusted Pointer Dereference (CVE-ID: CVE-2026-50424)
CWE-ID: CWE-822 - Untrusted Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to untrusted pointer dereference in Windows Domain Controller when handling network requests. A remote attacker can send a specially crafted request to cause a denial of service.
128) Use-after-free (CVE-ID: CVE-2026-50406)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to use-after-free in Windows Backup Engine when handling local operations. A local user can trigger the use-after-free condition to elevate privileges.
129) Out-of-bounds read (CVE-ID: CVE-2026-50470)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows Network Policy Server SNMP when handling network requests. A remote attacker can send a specially crafted request to disclose sensitive information.
An attacker who successfully exploits this vulnerability could read portions of process memory.
130) Untrusted Pointer Dereference (CVE-ID: CVE-2026-50479)
CWE-ID: CWE-822 - Untrusted Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to untrusted pointer dereference in Windows USB Hub Driver when handling local operations. A local user can trigger the vulnerable driver behavior to escalate privileges.
131) Heap-based buffer overflow (CVE-ID: CVE-2026-50482)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A local user can trigger the flaw to execute arbitrary code.
132) Improper access control (CVE-ID: CVE-2026-50495)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform tampering.
The vulnerability exists due to improper access control in Windows DNS when handling local access to DNS functionality. A local user can leverage authorized local access to perform tampering.
133) Information disclosure (CVE-ID: CVE-2026-50483)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component when processing local access to the component. A local user can access the vulnerable component to disclose sensitive information.
134) Improper access control (CVE-ID: CVE-2026-50502)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute code.
The vulnerability exists due to improper access control in Windows Event Logging Service when handling network requests. A remote user can send a crafted request to execute code.
135) Out-of-bounds read (CVE-ID: CVE-2026-50485)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in Windows Hyper-V when handling adjacent network input. A remote user can send crafted network traffic to cause a denial of service.
136) Command injection (CVE-ID: CVE-2026-50488)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to command injection in Windows Clipboard User Service when processing command input. A local user can inject crafted command elements to escalate privileges.
137) Use-after-free (CVE-ID: CVE-2026-50500)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to elevate privileges.
The vulnerability exists due to use-after-free in Windows Netlogon when handling network requests. A remote user can send a specially crafted request to elevate privileges.
Successful exploitation can result in SYSTEM privileges.
138) Heap-based buffer overflow (CVE-ID: CVE-2026-50499)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Print Spooler Components when handling local operations. A local user can trigger the vulnerable component to elevate privileges.
Successful exploitation could allow the attacker to obtain SYSTEM privileges.
139) Heap-based buffer overflow (CVE-ID: CVE-2026-50489)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Win32K when handling crafted local input. A local user can trigger the overflow to escalate privileges.
Successful exploitation could allow access to SYSTEM privileges.
140) Heap-based buffer overflow (CVE-ID: CVE-2026-50494)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A local user can trigger the vulnerable condition to execute arbitrary code.
141) Use-after-free (CVE-ID: CVE-2026-50490)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Installer when handling installer operations. A local user can trigger a use-after-free condition to escalate privileges.
142) Improper access control (CVE-ID: CVE-2026-50498)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in the Windows Universal Disk Format File System Driver (UDFS) when processing filesystem operations. A local user can trigger the flaw to escalate privileges.
143) Use-after-free (CVE-ID: CVE-2026-50505)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute code.
The vulnerability exists due to use-after-free in Windows Message Queuing when handling network requests. A remote user can send a specially crafted request to execute code.
144) Out-of-bounds read (CVE-ID: CVE-2026-50491)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to out-of-bounds read in Code Integrity DLL (ci.dll) when processing data. A local user can trigger the out-of-bounds read to escalate privileges.
Successful exploitation could allow access to SYSTEM privileges.
145) Out-of-bounds read (CVE-ID: CVE-2026-50496)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows Network Policy Server SNMP when handling network requests. A remote attacker can send a specially crafted request to disclose sensitive information.
146) Out-of-bounds read (CVE-ID: CVE-2026-50504)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Remote Desktop Client when handling network traffic. A remote attacker can send crafted network data to disclose sensitive information.
147) Deserialization of Untrusted Data (CVE-ID: CVE-2026-50509)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to deserialization of untrusted data in Windows Wireless Wide Area Network Service when processing serialized data. A local user can supply crafted serialized data to escalate privileges.
Successful exploitation could allow the attacker to gain SYSTEM privileges.
148) Heap-based buffer overflow (CVE-ID: CVE-2026-50518)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows DHCP Server when processing specially crafted network requests containing malicious domain name data. A remote attacker can send specially crafted network requests containing malicious domain name data to execute arbitrary code.
The issue may also cause service disruption.
149) Infinite loop (CVE-ID: CVE-2026-50647)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a loop with an unreachable exit condition in Active Directory Federation Services (AD FS) when handling network packets. A remote attacker can send specially crafted packets to cause a denial of service.
150) Protection mechanism failure (CVE-ID: CVE-2026-50661)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to bypass a security feature.
The vulnerability exists due to protection mechanism failure in Windows BitLocker when accessing the system storage device with physical access. An attacker with physical access can perform a physical attack to bypass a security feature.
Successful exploitation could allow access to encrypted data on the system storage device.
151) Use-after-free (CVE-ID: CVE-2026-50666)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Remote Access Connection Manager when handling network requests. A remote user can trigger the use-after-free condition to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
152) Race condition (CVE-ID: CVE-2026-50669)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a race condition in Windows Telephony Service when using shared resources during concurrent execution. A local user can trigger concurrent operations to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
153) Out-of-bounds read (CVE-ID: CVE-2026-50670)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to out-of-bounds read in Windows Kernel when parsing input. A local user can trigger the out-of-bounds read to escalate privileges.
Successful exploitation could allow the attacker to gain SYSTEM privileges.
154) Use-after-free (CVE-ID: CVE-2026-50672)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows NTFS when processing crafted local actions that trigger a race condition. A local user can win a race condition and prepare the target environment to escalate privileges.
Successful exploitation could allow the attacker to gain SYSTEM privileges.
155) Integer overflow (CVE-ID: CVE-2026-54115)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to integer overflow or wraparound in Windows Active Directory when processing crafted local input. A local user can trigger the integer overflow to escalate privileges.
The attacker would gain the rights of the user that is running the affected application.
156) Cross-site scripting (CVE-ID: CVE-2026-50684)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform spoofing.
The vulnerability exists due to cross-site scripting in Active Directory Federation Services (AD FS) when generating web pages. A remote user can inject crafted input to perform spoofing.
157) Heap-based buffer overflow (CVE-ID: CVE-2026-50679)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Search Component when processing input. A local user can trigger the flaw to escalate privileges.
Successful exploitation could allow elevation from Medium Integrity Level to a High Integrity Level and gain SYSTEM privileges.
158) Use-after-free (CVE-ID: CVE-2026-50688)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Kernel when handling local operations. A local user can trigger the flaw to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
159) Heap-based buffer overflow (CVE-ID: CVE-2026-50680)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Hyper-V when processing crafted input. A local user can trigger the flaw to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
160) Information disclosure (CVE-ID: CVE-2026-50681)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in Windows Cryptographic Services when handling cryptographic operations. A local user can access leaked internal memory pointers to disclose sensitive information.
The disclosed information is limited to internal memory pointers, which could help bypass security protections and facilitate further exploitation.
161) Improper Authorization (CVE-ID: CVE-2026-54121)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper authorization in Active Directory Certificate Services (AD CS) when processing certificate requests for manipulated machine account attributes. A remote user can manipulate attributes associated with a machine account and obtain a certificate that allows authentication as that machine via PKINIT to escalate privileges.
If a Domain Controller account can be targeted, the vulnerability may allow privileged Active Directory operations.
162) Out-of-bounds read (CVE-ID: CVE-2026-50682)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to out-of-bounds read in Windows Active Directory when handling network requests. A remote user can send a specially crafted request to cause a denial of service.
163) Double free (CVE-ID: CVE-2026-50685)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to double free in Windows DHCP Server when handling network requests. A remote user can send crafted requests to execute arbitrary code.
164) Heap-based buffer overflow (CVE-ID: CVE-2026-50683)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows DHCP Server when handling DHCP traffic over an adjacent network. A remote user can send specially crafted DHCP messages to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
165) Use-after-free (CVE-ID: CVE-2026-50687)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Kernel when handling crafted local operations. A local user can trigger the use-after-free condition to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
166) Type Confusion (CVE-ID: CVE-2026-50686)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to type confusion in Windows OLE when handling crafted network data. A remote attacker can send specially crafted data to execute arbitrary code.
167) Use-after-free (CVE-ID: CVE-2026-50689)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Clipboard Server when handling local clipboard operations. A local user can trigger the vulnerable condition to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
168) Use-after-free (CVE-ID: CVE-2026-54128)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Windows DHCP Client when processing DHCP responses locally. A local attacker can trigger a use-after-free condition to execute arbitrary code.
169) NULL pointer dereference (CVE-ID: CVE-2026-56168)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in Windows SMB Server when handling network requests. A remote user can send a specially crafted request to cause a denial of service.
170) Out-of-bounds read (CVE-ID: CVE-2026-56176)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to out-of-bounds read in Windows Win32K - GRFX when parsing input. A local user can trigger the out-of-bounds read to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
171) Heap-based buffer overflow (CVE-ID: CVE-2026-56175)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows NTFS when parsing input. A local user can trigger the flaw to escalate privileges.
172) Integer overflow (CVE-ID: CVE-2026-56182)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to integer overflow or wraparound in Windows NTFS when processing crafted local input. A local user can trigger the flaw to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
173) Use of uninitialized resource (CVE-ID: CVE-2026-56190)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use of uninitialized resource in Windows RDP when handling specially crafted Remote Desktop Protocol traffic. A remote attacker can send specially crafted RDP traffic to execute arbitrary code.
Exploitation requires that Network Level Authentication (NLA) be disabled on the target system.
174) Information disclosure (CVE-ID: CVE-2026-56184)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in Windows Win32K when handling local access to kernel memory addresses. A local user can access disclosed kernel memory address information to disclose sensitive information.
The disclosed information may include certain memory addresses within kernel space, which could be leveraged for other malicious activities.
175) Out-of-bounds read (CVE-ID: CVE-2026-56186)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows Schannel when handling network connections. A remote user can send crafted network traffic to disclose sensitive information.
176) Integer overflow (CVE-ID: CVE-2026-54124)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to integer overflow or wraparound in Windows Terminal when parsing input. A local attacker can provide specially crafted input to execute arbitrary code.
177) Heap-based buffer overflow (CVE-ID: CVE-2026-56194)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Network File System when handling network file system requests. A remote user can send specially crafted network requests to escalate privileges.
Successful exploitation could allow the attacker to obtain SYSTEM privileges.
178) Integer overflow (CVE-ID: CVE-2026-56647)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to integer overflow or wraparound in Windows Remote Access Service Infrastructure when handling network requests. A remote user can send specially crafted requests to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
179) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-56648)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to elevate privileges.
The vulnerability exists due to a time-of-check time-of-use race condition in Windows Network File System when handling network file system operations. A remote user can trigger the race condition to elevate privileges.
Successful exploitation requires winning a race condition and may result in SYSTEM privileges.
180) Race condition (CVE-ID: CVE-2026-56649)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a race condition in Windows Network File System when handling network requests involving shared resources. A remote attacker can send crafted network traffic to execute arbitrary code.
181) Use of uninitialized resource (CVE-ID: CVE-2026-57083)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in Microsoft Windows Codecs Library when parsing input. A local attacker can trigger processing of crafted input to disclose sensitive information.
182) Heap-based buffer overflow (CVE-ID: CVE-2026-56650)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Network File System when handling crafted local input. A local user can trigger the overflow to escalate privileges.
Successful exploitation could allow the attacker to gain SYSTEM privileges.
183) Information disclosure (CVE-ID: CVE-2026-57095)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to elevate privileges.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in Windows Win32K when handling local access to sensitive information. A local attacker can access exposed sensitive information to elevate privileges.
Successful exploitation could lead to SYSTEM privileges.
184) Heap-based buffer overflow (CVE-ID: CVE-2026-57090)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Microsoft Windows Media Foundation when parsing media content. A remote attacker can send specially crafted media data to execute arbitrary code.
185) Heap-based buffer overflow (CVE-ID: CVE-2026-57094)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Microsoft Windows Media Foundation when parsing a specially crafted file. A remote attacker can persuade a user to open a specially crafted file to execute arbitrary code.
User interaction is required to open a crafted file.
186) Stack-based buffer overflow (CVE-ID: CVE-2026-57091)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to stack-based buffer overflow in Windows File History Service when processing input. A local user can trigger the buffer overflow to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
187) Use-after-free (CVE-ID: CVE-2026-57089)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Windows SMB Server Network Transport Driver (srvnet.sys) when handling network requests. A remote attacker can send a specially crafted request to execute arbitrary code.
188) Out-of-bounds read (CVE-ID: CVE-2026-57085)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows Print Spooler Components when parsing input. A local user can trigger the out-of-bounds read to disclose sensitive information.
The disclosed data is limited to a small amount of memory content from the affected system.
189) Use-after-free (CVE-ID: CVE-2026-57092)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to use-after-free in Windows VMSwitch when handling network-related requests from a guest virtual machine through the Hyper-V Virtual Switch. A remote user can send a specially crafted network-related request to escalate privileges.
Exploitation requires the ability to run code in a guest virtual machine, and successful exploitation can cross the guest virtual machine boundary to affect the host system.
190) Heap-based buffer overflow (CVE-ID: CVE-2026-57087)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Microsoft Windows Media Foundation when parsing a specially crafted media file. A remote attacker can convince a user to open a specially crafted media file to execute arbitrary code.
User interaction is required to open the crafted media file.
191) Improper access control (CVE-ID: CVE-2026-57088)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in Extensible Storage Engine (ESENT) when handling local access to the engine. A local user can leverage authorized access to escalate privileges.
192) Heap-based buffer overflow (CVE-ID: CVE-2026-57096)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) when handling local input. A local user can trigger the buffer overflow to escalate privileges.
Successful exploitation could grant SYSTEM privileges.
193) Use of uninitialized resource (CVE-ID: CVE-2026-57982)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in Windows RDP when handling RDP connections. A remote user can establish a connection and trigger access to uninitialized heap memory to disclose sensitive information.
The disclosed information may include uninitialized heap memory contents.
194) Out-of-bounds read (CVE-ID: CVE-2026-58528)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker with physical access to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) when parsing input from a physical attack surface. An attacker with physical access can supply crafted input via a physical attack to disclose sensitive information.
195) Heap-based buffer overflow (CVE-ID: CVE-2026-58530)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows Resilient File System (ReFS) when parsing filesystem data. A local user can trigger the vulnerable condition to execute arbitrary code.
196) Heap-based buffer overflow (CVE-ID: CVE-2026-58538)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Windows Bluetooth Service when processing input. A local user can trigger the overflow to escalate privileges.
197) Use of uninitialized resource (CVE-ID: CVE-2026-58533)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in Windows RDP when handling network connections. A remote attacker can trigger use of the uninitialized resource to disclose sensitive information.
198) Use of uninitialized resource (CVE-ID: CVE-2026-58535)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in Windows RDP when handling remote desktop protocol communication. A remote attacker can send crafted network traffic to disclose sensitive information.
199) Use of uninitialized resource (CVE-ID: CVE-2026-58546)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in Windows RDP when handling remote desktop protocol communication. A remote attacker can send crafted network traffic to disclose sensitive information.
200) Out-of-bounds read (CVE-ID: CVE-2026-58539)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Windows RDP when handling network traffic. A remote attacker can send crafted requests to disclose sensitive information.
201) Improper Authorization (CVE-ID: CVE-2026-58540)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper authorization in Windows Installer when handling local installer operations. A local user can perform crafted local actions to escalate privileges.
202) Race condition (CVE-ID: CVE-2026-58531)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to a race condition in Windows SMB when handling concurrent access to shared resources. A remote user can trigger concurrent operations to escalate privileges.
203) Use-after-free (CVE-ID: CVE-2026-58537)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Microsoft NAT Helper Components (ipnathlp.dll) when handling local operations. A local user can trigger the flaw to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
204) Heap-based buffer overflow (CVE-ID: CVE-2026-58534)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Microsoft Input Method Editor (IME) when parsing input. A local user can trigger the flaw to escalate privileges.
205) Use-after-free (CVE-ID: CVE-2026-58536)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to use-after-free in Windows Cloud Files Mini Filter Driver when processing local operations. A local user can trigger the use-after-free condition to elevate privileges.
206) Heap-based buffer overflow (CVE-ID: CVE-2026-58547)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to heap-based buffer overflow in Universal Plug and Play (upnp.dll) when parsing input. A local user can trigger the overflow to escalate privileges.
207) Use-after-free (CVE-ID: CVE-2026-58544)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Management Services when handling crafted local input. A local user can trigger the flaw to escalate privileges.
208) Heap-based buffer overflow (CVE-ID: CVE-2026-58542)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in Windows Media when parsing input. A remote attacker can trigger the flaw to execute arbitrary code.
209) Race condition (CVE-ID: CVE-2026-58543)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker with physical access to escalate privileges.
The vulnerability exists due to concurrent execution using shared resource with improper synchronization in Windows USB Print Driver when handling concurrent operations. An attacker with physical access can trigger a race condition to escalate privileges.
Successful exploitation could result in SYSTEM privileges.
210) Type Confusion (CVE-ID: CVE-2026-58541)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to type confusion in Windows DWM Core Library when accessing resources. A local user can trigger the flaw locally to escalate privileges.
211) Integer overflow (CVE-ID: CVE-2026-58594)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to integer overflow or wraparound in Windows RDP when handling network requests. A remote attacker can send a specially crafted request to execute arbitrary code.
212) Use-after-free (CVE-ID: CVE-2026-58613)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to elevate privileges.
The vulnerability exists due to use-after-free in Windows Cloud Files Mini Filter Driver when handling local operations. A local user can trigger the flaw to elevate privileges.
Successful exploitation could grant SYSTEM privileges.
213) Use-after-free (CVE-ID: CVE-2026-58619)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Sensor Data Service when handling service operations. A local user can trigger a race condition to escalate privileges.
Successful exploitation requires winning a race condition. An attacker who successfully exploits the vulnerability can gain SYSTEM privileges.
214) Use-after-free (CVE-ID: CVE-2026-58626)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to use-after-free in Windows Remote Desktop Services when handling Remote Desktop Protocol requests. A remote user can send specially crafted requests to execute arbitrary code.
Exploitation requires establishing a connection to the target system via Remote Desktop Protocol.
215) Resource exhaustion (CVE-ID: CVE-2026-58627)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in Windows DHCP Server when handling network requests. A remote attacker can send crafted requests to cause a denial of service.
216) Race condition (CVE-ID: CVE-2026-58628)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to concurrent execution using shared resource with improper synchronization in Windows Wireless Networking when handling concurrent operations. A local user can win a race condition to escalate privileges.
Successful exploitation can be performed from a low-privilege AppContainer and may result in execution or resource access at a higher integrity level, including SYSTEM.
217) Use-after-free (CVE-ID: CVE-2026-58637)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in Windows Client-Side Caching (CSC) Service when handling local operations. A local user can trigger a race condition to escalate privileges.
Successful exploitation requires winning a race condition and can result in SYSTEM assigned integrity level.
218) Missing Required Cryptographic Step (CVE-ID: CVE-2026-58638)
CWE-ID: CWE-325 - Missing Required Cryptographic Step
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass a security feature.
The vulnerability exists due to missing cryptographic step in Windows Boot Loader when processing the boot sequence. A local user can leverage the flaw locally to bypass a security feature.
219) Origin validation error (CVE-ID: CVE-2026-56181)
CWE-ID: CWE-346 - Origin Validation Error
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform spoofing.
The vulnerability exists due to an origin validation error in Windows Network Address Translation (NAT) when handling network traffic on an adjacent network. A remote attacker can position themselves on a logically adjacent network path to perform spoofing.
Exploitation requires machine-in-the-middle conditions on a logically adjacent topology.
220) Out-of-bounds read (CVE-ID: CVE-2026-58529)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Active Directory Federation Services (AD FS) when handling network requests. A remote user can send a specially crafted request to disclose sensitive information.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49164
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49169
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49170
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49174
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54129
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54989
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54990
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54111
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54107
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54986
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-55001
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54112
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54982
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54114
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54119
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54995
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54122
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-55144
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50694
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54127
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57097
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57976
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58608
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58609
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58635
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58640
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-34328
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-40400
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-34348
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-44806
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-40378
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-44800
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49178
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49180
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49181
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49184
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49183
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49783
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49787
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49788
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49789
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49790
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49791
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49796
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49797
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49799
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50308
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50311
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49804
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50333
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49805
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49803
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50351
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-49807
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50298
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50293
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50297
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50325
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50384
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50295
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50350
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50381
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50300
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50303
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50329
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50363
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50412
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50337
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50386
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50309
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50326
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50313
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50440
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50380
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50341
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50331
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50343
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50347
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50321
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50425
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50315
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50434
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50339
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50430
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50310
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50330
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50335
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50317
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50366
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50416
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50373
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50388
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50391
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50418
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50378
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50401
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50346
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50376
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50405
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50448
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50387
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50334
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50344
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50437
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50471
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50369
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50469
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50454
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50365
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50426
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50427
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50422
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50421
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50374
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50367
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50383
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50451
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50455
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50402
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50432
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50461
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50431
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50417
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50447
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50420
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50474
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50424
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50406
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50470
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50479
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50482
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50495
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50483
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50502
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50485
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50488
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50500
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50499
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50489
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50494
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50490
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50498
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50505
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50491
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50496
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50504
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50509
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50518
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50647
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50661
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50666
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50669
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50670
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50672
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54115
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50684
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50679
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50688
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50680
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50681
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54121
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50682
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50685
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50683
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50687
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50686
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-50689
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54128
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56168
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56176
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56175
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56182
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56190
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56184
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56186
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-54124
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56194
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56647
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56648
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56649
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57083
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56650
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57095
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57090
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57094
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57091
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57089
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57085
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57092
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57087
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57088
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57096
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-57982
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58528
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58530
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58538
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58533
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58535
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58546
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58539
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58540
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58531
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58537
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58534
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58536
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58547
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58544
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58542
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58543
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58541
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58594
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58613
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58619
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58626
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58627
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58628
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58637
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58638
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-56181
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2026-58529