Skip to main content

Microsoft PC Manager CVE-2026-50512

| EUVDEUVD-2026-35771 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-09 microsoft GHSA-c6mx-5853-2f2j
7.8
CVSS 3.1 · Vendor: microsoft
Temporal: 6.8
Share

Severity by source

Vendor (microsoft) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 18:52 vuln.today
CVE Published
Jun 09, 2026 - 17:36 nvd
HIGH 7.8

DescriptionCVE.org

Missing authentication for critical function in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged attacker to gain elevated rights on the host by abusing a critical function that lacks proper authentication checks. The flaw (CWE-306) is reported by Microsoft itself with a CVSS 7.8 (AV:L/AC:L/PR:L) and no public exploit identified at time of analysis, but a vendor patch is available via MSRC.

Technical ContextAI

Microsoft PC Manager is a Windows utility application that performs system maintenance tasks such as storage cleanup, process management, startup optimization, and security scanning - operations that typically require interaction with privileged components or services running at higher integrity levels. The CPE cpe:2.3:a:microsoft:microsoft_pc_manager:*:*:*:*:*:*:*:* indicates all versions are in scope pending the fixed build. The root cause is CWE-306 (Missing Authentication for Critical Function): a sensitive operation exposed by the application (likely an IPC endpoint, named pipe, COM interface, or privileged service request) does not verify that the caller is authorized to invoke it, so any local user context can reach functionality intended for higher-privileged components.

RemediationAI

Apply the vendor-released update for Microsoft PC Manager referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50512, since Patch available per vendor advisory and the exact fixed build number should be taken from that page rather than inferred. Where immediate patching is not possible, restrict who can log on interactively or via remote desktop to affected hosts to limit which accounts can exercise the local attack vector, and consider uninstalling Microsoft PC Manager on systems that do not actively use it - both controls reduce exposure but the first weakens least-privilege use cases and the second removes a maintenance utility users may rely on. Monitor for anomalous child processes or token manipulation originating from PC Manager service components as a detection compensating control until the fix is deployed.

Share

CVE-2026-50512 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy