Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows Universal Plug and Play Device Host service affects all supported Windows 10, Windows 11, and Windows Server versions via untrusted pointer dereference (CWE-822). Low-complexity attack requires low-level authenticated access (PR:L) with no user interaction, enabling complete system compromise (C:H/I:H/A:H). Microsoft released patches in May 2025 for 21 affected product versions. No public exploit identified at time of analysis, though the local attack vector
Technical ContextAI
The vulnerability exists in the Windows Universal Plug and Play (UPnP) Device Host service (upnphost.dll), a core networking component that enables automatic device discovery and configuration on local networks. The flaw stems from CWE-822 (Untrusted Pointer Dereference), where the UPnP service improperly validates pointer references before dereferencing them. An authenticated attacker with low-level privileges can supply malicious pointer values that cause the service to dereference attacker-controlled memory locations. Since the UPnP Device Host service typically runs with elevated SYSTEM privileges, successful exploitation allows arbitrary code execution in the security context of the service, bypassing Windows privilege boundaries. The vulnerability affects the UPnP service implementation across all modern Windows platforms from legacy Server 2012 through current Windows 11 26H1 and Server 2025, indicating the flaw exists in shared codebase spanning over a decade of Windows releases.
RemediationAI
Apply Microsoft's May 2025 security updates immediately via Windows Update or WSUS. Patched versions include Windows 10 Version 1607/Server 2016 build 10.0.14393.9060 or later, Windows 10 Version 1809/Server 2019 build 10.0.17763.8644 or later, Windows 10 Version 21H2 build 10.0.19044.7184 or later, Windows 10 Version 22H2 build 10.0.19045.7184 or later, Windows 11 Version 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 Version 24H2/Server 2025 build 10.0.26100.32690 or later, Windows 11 Version 25H2 build 10.0.26200.8246 or later, Windows 11 Version 26H1 build 10.0.28000.1836 or later, Windows Server 2012 build 6.2.9200.26026 or
Same weakness CWE-822 – Untrusted Pointer Dereference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22466
GHSA-2jf6-4m5x-vv8v