Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Windows Universal Plug and Play (UPnP) Device Host across all supported Windows 10, 11, and Server versions allows unauthenticated attackers to achieve high-impact compromise via use-after-free memory corruption. The vulnerability affects Windows 10 versions 1607 through 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server 2012 through 2025 (including Server Core installations). Despite requiring local access and high attack complexity (CVSS:3.1/AV:L/AC:H), the
Technical ContextAI
The Windows Universal Plug and Play (UPnP) Device Host service (upnphost) facilitates network device discovery and control on local networks. This vulnerability stems from a use-after-free condition (CWE-416), a memory safety defect where the service continues to reference memory after it has been deallocated. In Windows kernel and system service contexts, use-after-free vulnerabilities occur when object lifetime management fails between concurrent operations, allowing an attacker to reclaim freed memory with controlled data structures. The UPnP Device Host runs with elevated system privileges to manage network device enumeration and SSDP protocol handling. Successful exploitation requires precise timing to win the race condition (reflected in AC:H) and the ability to place malicious objects in freed memory regions, but grants full control over the compromised system. The vulnerability spans the entire modern Windows ecosystem from legacy Server 2012 (kernel 6.2) through current Windows 11 26H1 and Server 2025 (kernel 10.0.28000), indicating a long-standing architectural issue in the UPnP implementation rather than a recent regression.
RemediationAI
Apply the vendor-released security updates from Microsoft's May 2026 Patch Tuesday (or subsequent release) to upgrade affected systems to patched build versions. For Windows 10 1607, upgrade to build 10.0.14393.9060 or later; for Windows 10 1809, upgrade to 10.0.17763.8644 or later; for Windows 10 21H2, upgrade to 10.0.19044.7184 or later; for Windows 10 22H2, upgrade to 10.0.19045.7184 or later; for Windows 11 22H3/23H2, upgrade to 10.0.22631.6936 or later; for Windows 11 24H2, upgrade to 10.0.26100.32690 or later; for Windows 11 25H2, upgrade to 10.0.26200.8246 or later; for Windows 11 26H1, upgrade to 10.0.28000.1836 or later; for Windows Server 2012, upgrade to 6.2.9200.26026 or later; for Server 2012 R2, upgrade to 6.3.9600.23132 or later; for Server 2016, upgrade to 10.0.14393.9060 or later; for Server 2019, upgrade to 10.0.17763.8644 or later; for Server 2022, upgrade to 10.0.20348.5020 or later; for Server 2022 23H2, upgrade
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22544
GHSA-gx83-r546-6cg7