Skip to main content

Microsoft Surface CVE-2026-48581

| EUVDEUVD-2026-43794 HIGH
Insufficient Granularity of Access Control (CWE-1220)
2026-07-14 microsoft GHSA-59xf-77x2-pv8f
7.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local vector and a valid low-privileged account are required (AV:L, PR:L) with no user interaction; successful escalation yields full C/I/A impact within an unchanged scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 18:38 vuln.today
CVE Published
Jul 14, 2026 - 17:05 cve.org
HIGH 7.8

DescriptionCVE.org

Insufficient granularity of access control in Microsoft Surface allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Surface devices (Go, Hub, Laptop Go/Go 3, Pro/Pro 8, Laptop 4 AMD/Intel, Windows Dev Kit) allows an authenticated low-privileged user to gain higher privileges through insufficiently granular access control (CWE-1220) in the device firmware/platform layer. The flaw carries a CVSS 7.8 (High) with full confidentiality, integrity, and availability impact once exploited, but requires prior local access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local account
Delivery
Invoke vulnerable Surface access-control component
Exploit
Cross insufficient privilege boundary
Execution
Execute code at elevated privilege
Impact
Full control of device

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess authenticated low-privileged local access to the affected Surface device (CVSS PR:L, AV:L), so this cannot be triggered remotely or by an unauthenticated party. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8) indicates a locally-exploitable flaw requiring low privileges but no user interaction, yielding high impact across all three security properties within an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained a standard, low-privileged local account on a Surface Pro 8 - for example through phishing, a stolen credential, or a shared kiosk device - invokes the vulnerable Surface platform component to cross the weak access-control boundary and elevate to a higher privilege level, gaining full read/write control and the ability to disrupt the device. No user interaction and low attack complexity make the escalation reliable once local access is held; no public POC is currently identified.
Remediation Patch available per vendor advisory - apply the Microsoft Surface firmware/driver update addressing CVE-2026-48581 as published on the MSRC update guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48581); because fixes for Surface are delivered as model-specific firmware/driver packages via Windows Update and the Surface driver-and-firmware download packs, update each affected model (Surface Go, Hub, Laptop Go/Go 3, Pro/Pro 8, Laptop 4 AMD/Intel, Windows Dev Kit) to the current package. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, use your MDM and asset inventory systems to identify all Microsoft Surface devices across your organization and establish patch deployment scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy