Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local vector and a valid low-privileged account are required (AV:L, PR:L) with no user interaction; successful escalation yields full C/I/A impact within an unchanged scope.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Insufficient granularity of access control in Microsoft Surface allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Surface devices (Go, Hub, Laptop Go/Go 3, Pro/Pro 8, Laptop 4 AMD/Intel, Windows Dev Kit) allows an authenticated low-privileged user to gain higher privileges through insufficiently granular access control (CWE-1220) in the device firmware/platform layer. The flaw carries a CVSS 7.8 (High) with full confidentiality, integrity, and availability impact once exploited, but requires prior local access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess authenticated low-privileged local access to the affected Surface device (CVSS PR:L, AV:L), so this cannot be triggered remotely or by an unauthenticated party. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8) indicates a locally-exploitable flaw requiring low privileges but no user interaction, yielding high impact across all three security properties within an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained a standard, low-privileged local account on a Surface Pro 8 - for example through phishing, a stolen credential, or a shared kiosk device - invokes the vulnerable Surface platform component to cross the weak access-control boundary and elevate to a higher privilege level, gaining full read/write control and the ability to disrupt the device. No user interaction and low attack complexity make the escalation reliable once local access is held; no public POC is currently identified. |
| Remediation | Patch available per vendor advisory - apply the Microsoft Surface firmware/driver update addressing CVE-2026-48581 as published on the MSRC update guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48581); because fixes for Surface are delivered as model-specific firmware/driver packages via Windows Update and the Surface driver-and-firmware download packs, update each affected model (Surface Go, Hub, Laptop Go/Go 3, Pro/Pro 8, Laptop 4 AMD/Intel, Windows Dev Kit) to the current package. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, use your MDM and asset inventory systems to identify all Microsoft Surface devices across your organization and establish patch deployment scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43794
GHSA-59xf-77x2-pv8f