Skip to main content

Microsoft CVE-2026-3991

| EUVDEUVD-2026-17164 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-03-30 symantec GHSA-6r2p-x2m4-j49c
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 18:45 euvd
EUVD-2026-17164
Analysis Generated
Mar 30, 2026 - 18:45 vuln.today
CVE Published
Mar 30, 2026 - 18:27 nvd
HIGH 7.8

DescriptionCVE.org

Symantec Data Loss Prevention Windows Endpoint, prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

AnalysisAI

Elevation of privilege in Symantec Data Loss Prevention Windows Endpoint allows authenticated local users to gain SYSTEM-level access and compromise protected resources. Affects all versions prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15. CVSS 7.8 (High) reflects the local attack vector but complete system compromise upon successful exploitation. No public exploit identified at time of analysis, though the CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) classification suggests potential DLL hijacking or similar trust boundary violations.

Technical ContextAI

The vulnerability stems from CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), indicating the DLP Windows endpoint agent may load or execute code from locations controllable by lower-privileged users. This class of vulnerability commonly manifests through unquoted service paths, insecure directory permissions allowing DLL planting, or loading configuration/plugins from user-writable locations. The Symantec/Broadcom DLP Windows Endpoint runs with elevated privileges to monitor data exfiltration attempts across applications, clipboard operations, and network traffic. The affected CPE (cpe:2.3:a:broadcom:data_loss_prevention) covers the Windows endpoint agent component specifically, which operates as a kernel-mode driver and user-mode service. When such agents trust user-controlled paths or fail to validate code integrity, authenticated users can inject malicious libraries or executables that inherit the agent's SYSTEM context. The 'Information Disclosure' and 'Microsoft' tags suggest this may also expose sensitive DLP policy configurations or monitored data during the privilege escalation process.

RemediationAI

Organizations must upgrade Symantec Data Loss Prevention Windows Endpoint agents to patched versions based on their current release branch. For version 25.x deployments, upgrade to 25.1 MP1 or later. For version 16.1 deployments, upgrade to 16.1 MP2 or later. For version 16.0 RU2 deployments, upgrade to 16.0 RU2 HF9 or later. For version 16.0 RU1 deployments, upgrade to 16.0 RU1 MP1 HF12 or later. For version 16.0 maintenance pack deployments, upgrade to 16.0 MP2 HF15 or later. The Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37306 provides release-specific upgrade paths and installation packages. As an interim mitigation where immediate patching is not feasible, restrict local user privileges on systems running DLP agents, enforce application control policies to prevent unauthorized code execution, and monitor DLP agent service integrity through endpoint detection and response (EDR) solutions. No workaround fully mitigates the vulnerability; patching remains the definitive remediation.

Share

CVE-2026-3991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy