Skip to main content

Universal Plug CVE-2026-32212

| EUVDEUVD-2026-22593 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-04-14 microsoft GHSA-w3xc-48m6-6x2m
5.5
CVSS 3.1 · NVD
Temporal: 4.8
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
4.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22593
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
MEDIUM 5.5

DescriptionCVE.org

Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.

AnalysisAI

Improper link resolution in Windows UPnP (upnp.dll) allows authenticated local attackers to disclose sensitive information through symlink following. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, and Windows Server 2012-2025. With local access and standard user privileges, an attacker can read files outside their normal access scope via crafted UPnP operations. Patch available from Microsoft; no public exploit code or active exploitation confirmed at tim

Technical ContextAI

Universal Plug and Play (UPnP) is a Windows service that enables device discovery and communication over local networks. The upnp.dll library handles UPnP protocol operations, including file access operations for configuration and device metadata. This vulnerability is a classic symlink-following flaw (CWE-59) where the library fails to validate that a file path does not resolve through symbolic links or junction points before accessing it. An authenticated user with local access can create symbolic links pointing to protected system files or sensitive user data, then trigger UPnP operations that follow these links without proper checks. The affected CPE strings span multiple Windows editions: Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), Windows Server 2012 through 2025 (including R2 and Server Core variants).

RemediationAI

Vendor-released patch available from Microsoft. Users should apply the latest security update for their Windows version via Windows Update, Systems Update for Business, or the Microsoft Update Catalog (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32212). For Windows 10 Version 1607, update to 10.0.14393.9060 or later; Windows 10 Version 1809, to 10.0.17763.8644 or later; Windows 10 Version 21H2, to 10.0.19044.7184 or later; Windows 10 Version 22H2, to 10.0.19045.7184 or later; Windows 11 Version 22H3, to 10.0.22631.6936 or later; Windows 11 Version 23H2, to 10.0.22631.6936 or later; Windows 11 Version 24H2, to 10.0.26100.32690 or later; Windows 11 Version 25H2, to 10.0.26200.8246 or later; Windows 11 Version 26H1, to 10.0.28000.1836 or later; Windows Server 2012, to 6.2.9200.26026 or later; Windows Server 2012 R2, to 6.3.9600

Share

CVE-2026-32212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy