CVE-2026-45599: Windows UPnP Remote Code Execution Vulnerability
A use-after-free vulnerability in Windows UPnP (upnp.dll) allows an attacker to run unauthorized code on affected systems over the network without requiring user interaction or special privileges. The vulnerability affects multiple versions of Windows 10, Windows 11, and Windows Server, making it a broad concern for enterprises. While exploitation requires specific network conditions (reflected in the CVSS score of 8.1), successful attacks could lead to complete system compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45599 is a use-after-free memory safety defect (CWE-416) in the Universal Plug and Play subsystem on Windows. When upnp.dll processes network packets under certain conditions, it may reference memory that has already been freed, allowing an unauthenticated remote attacker to corrupt memory and execute arbitrary code. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network-reachable attack surface, high attack complexity (likely requiring precise network conditions or timing), no privilege escalation, and full confidentiality, integrity, and availability impact. The high complexity factor suggests exploitation is not trivial but remains feasible for determined adversaries.
Business impact
Systems running affected Windows versions are at risk of remote code execution, which could enable data theft, malware deployment, lateral movement, or denial of service. For organizations relying on UPnP-enabled devices or services—common in IoT, smart home integrations, and some enterprise network scenarios—this vulnerability presents a direct path to system compromise without requiring a foothold. The breadth of affected versions (Windows 10 and 11 across multiple release channels, plus Server 2012–2025) means patching requirements span diverse infrastructure. Not yet in the CISA Known Exploited Vulnerabilities catalog, but the network-accessible nature and code-execution potential make it a priority for timely remediation.
Affected systems
All listed Windows 10 versions (1607, 1809, 21H2, 22H2), Windows 11 versions (23H2, 24H2, 25H2, 26H1), and Windows Server editions (2012, 2016, 2019, 2022, 2025) are affected. The duplication in the vendor list reflects multiple affected editions or SKUs per version. If your environment includes any of these Windows releases with UPnP enabled or accessible, you are potentially exposed.
Exploitability
The vulnerability requires network access and cannot be exploited locally. Attack complexity is rated 'High,' meaning successful exploitation depends on specific preconditions—such as particular network states, packet sequencing, or timing windows. This does not mean the vulnerability is unexploitable; rather, it is more difficult to trigger reliably than a simple network request. An attacker with knowledge of these conditions or the ability to conduct sustained network probing could craft malicious UPnP packets to trigger the defect. The lack of CISA KEV listing suggests active exploitation has not yet been widely observed, but the network-reachable code-execution pathway makes this a matter of time if patches are not deployed.
Remediation
Microsoft will release security updates for all affected Windows versions. Organizations should apply patches immediately upon release and verification in non-production environments. For systems where patching is delayed, consider network segmentation to restrict UPnP traffic (typically UDP port 1900 and TCP ports 1900, 5000, and higher ephemeral ports used by UPnP), disabling UPnP where not actively required, and monitoring for suspicious network activity directed at UPnP services. Verify patch application through Windows Update, WSUS, or vendor advisory channels.
Patch guidance
Monitor Microsoft security bulletins for updates addressing CVE-2026-45599 across all affected Windows 10 and Windows 11 versions, as well as Server 2012–2025. Test patches in a controlled environment before broad deployment. Prioritize critical servers and user-facing systems. For infrastructure with strict patching windows, implement interim controls (firewall rules, UPnP disablement) until patches can be applied. Verify successful patching via Windows Update history and security update verification tools.
Detection guidance
Log and alert on network traffic to UPnP service ports (UDP 1900, TCP 1900, 5000) from unexpected or suspicious sources. Monitor upnp.dll for access violations, memory corruption events, or process crashes in Event Viewer (Application and System logs). Endpoint detection and response (EDR) tools should flag abnormal behavior from svchost.exe (which hosts UPnP) or other system processes following UPnP service interactions. Network intrusion detection systems may identify malformed UPnP packets once signatures are released. Host-based behavioral monitoring for code execution from UPnP context is valuable given the nature of the defect.
Why prioritize this
This vulnerability merits immediate priority due to its network-reachable code-execution capability, broad platform coverage (Windows 10, 11, and Server editions spanning years of releases), and high CVSS score of 8.1. Although attack complexity is elevated and there is no known active exploitation, the ease of network access and the lack of authentication requirements make it a lucrative target for adversaries once a reliable exploit is public. The scope of affected systems across consumer and enterprise environments increases organizational risk. Early patching prevents weaponization and limits the window of vulnerability.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects the combination of network accessibility (AV:N), high impact on confidentiality, integrity, and availability (C:H/I:H/A:H), and the absence of authentication or user interaction requirements (PR:N/UI:N). The 'High' attack complexity (AC:H) prevents a critical rating, indicating that while exploitation is possible, it is not as straightforward as a simple crafted request. This balanced score appropriately captures a serious vulnerability that is exploitable but not trivial, requiring security teams to treat it with urgency while recognizing that defenders have some time advantage if they act promptly on patch release.
Frequently asked questions
Can UPnP be disabled on Windows without breaking functionality?
In most enterprise and well-managed consumer environments, UPnP can be safely disabled. It is primarily used for automatic device discovery and port mapping in home networks and IoT scenarios. Group Policy can disable UPnP Service on domain-joined systems via gpedit.msc or GPMC. Test disablement in non-critical systems first to ensure no legitimate services depend on it. For users requiring UPnP, apply the patch as soon as available rather than disabling the service.
Does this vulnerability affect Windows 7 or older systems?
The source data specifies Windows 10 (versions 1607 onward), Windows 11, and Windows Server 2012–2025. Windows 7 is not listed. However, you should verify against the official Microsoft security advisory to confirm whether any extended support or legacy editions are affected.
What is the difference between CVSS complexity 'High' and 'Low'?
'High' complexity means the attacker must satisfy specific conditions beyond sending a single malicious packet—such as precise timing, particular system states, or detailed knowledge of the target's network configuration. This makes reliable exploitation harder and gives organizations a better chance to detect and respond to attack attempts. 'Low' complexity means a simple, repeatable attack succeeds most of the time. For this vulnerability, the 'High' rating buys defenders a modest advantage in time and detection opportunity.
If this vulnerability is not yet in CISA's Known Exploited Vulnerabilities list, why should I prioritize it?
CISA's KEV catalog documents vulnerabilities already being exploited in the wild. The absence of a KEV entry does not mean the vulnerability is low-risk; it means active exploitation has not yet been officially observed or reported. High-severity network-reachable code-execution vulnerabilities are frequently targeted shortly after patches are released or shortly after a proof-of-concept emerges. Patching promptly prevents your organization from becoming a target once exploitation becomes routine.
This analysis is based on the vulnerability data published as of June 2026. Patch availability, KEV status, and active exploitation may change; consult the official Microsoft Security Response Center (MSRC) and CISA advisories for the most current information. Verify all patch versions, compatibility, and deployment guidance against vendor advisories before implementation. This document does not constitute professional security advice; organizations should conduct their own risk assessment and consult qualified security professionals for remediation planning. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability