Use of uninitialized resource in Windows and Windows Server - CVE-2026-50455

 

Use of uninitialized resource in Windows and Windows Server - CVE-2026-50455

Published: July 17, 2026


Vulnerability identifier: #VU138047
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-50455
CWE-ID: CWE-908
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Microsoft
Affected software:
Windows
Windows Server

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to use of uninitialized resource in upnp.dll when handling local access to files through the UPnP Device Host Service. A local user can access files readable by the service to disclose sensitive information.

The exposed data may include restricted system files or configuration data accessible to the service running under the LOCAL SERVICE account.


How to mitigate CVE-2026-50455

Install security update from vendor's website.

Sources