Insufficient Granularity of Access Control in Microsoft products - CVE-2026-48581

 

Insufficient Granularity of Access Control in Microsoft products - CVE-2026-48581

Published: July 17, 2026


Vulnerability identifier: #VU138316
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-48581
CWE-ID: CWE-1220
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Microsoft
Affected software:
Microsoft Surface Hub 3
Microsoft Surface Pro 7+
Microsoft Surface Go 3
Microsoft Surface Laptop Go
Microsoft Surface Laptop Go 3
Microsoft Surface Pro 8
Surface Laptop 4 with Intel Processor
Microsoft Surface Go 2
Microsoft Surface Hub 2S
Surface Laptop 4 with AMD Processor
Microsoft Surface Laptop Go 2
Microsoft Surface Hub
Surface Windows Dev Kit

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient granularity of access control in Surface Broker SDMA, which leads to security restrictions bypass and privilege escalation.


How to mitigate CVE-2026-48581

Install updates from vendor's website.

Sources