CVE-2026-27915

CWE-416 — Use After Free2 documents2 sources

Severity

7.8HIGH

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

20

Microsoft Windows 10 Version 1607 Microsoft Windows 10 Version 1809 Microsoft Windows 10 Version 21h2 +17 more

Timeline

PublishedApr 14

Description

Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages20 packages

▶CVEListV5microsoft/windows_server_20126.2.9200.0 — 6.2.9200.26026

▶CVEListV5microsoft/windows_server_201610.0.14393.0 — 10.0.14393.9060

▶CVEListV5microsoft/windows_server_201910.0.17763.0 — 10.0.17763.8644

▶CVEListV5microsoft/windows_server_202210.0.20348.0 — 10.0.20348.5020

▶CVEListV5microsoft/windows_server_202510.0.26100.0 — 10.0.26100.32690

🔴Vulnerability Details

1

CVEList

Windows UPnP Device Host Elevation of Privilege Vulnerability↗2026-04-14

▶

CVE-2026-27915 (HIGH CVSS 7.8) | Use after free in Windows Universal | cvebase.io