CVE-2026-45635: Windows UPnP Remote Code Execution Vulnerability (CVSS 8.1)
A type confusion vulnerability in Windows' Universal Plug and Play (UPnP) component allows attackers to execute code remotely on affected systems without authentication. The flaw stems from improper handling of incompatible data types in upnp.dll, which can be exploited over a network to gain full system compromise. This affects a broad range of Windows versions from Windows 10 through Windows 11, as well as Windows Server deployments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-843
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Access of resource using incompatible type ('type confusion') in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45635 is a type confusion vulnerability (CWE-843) combined with use-after-free characteristics (CWE-416) in the UPnP implementation within upnp.dll. The vulnerability allows an unauthenticated network-based attacker to trigger a type mismatch condition that leads to arbitrary code execution with system-level privileges. The attack vector requires network access but does not require user interaction or elevated privileges to initiate. The CVSS 3.1 score of 8.1 (HIGH severity) reflects the network-adjacent attack surface, high complexity barrier, but complete impact across confidentiality, integrity, and availability.
Business impact
Organizations running affected Windows versions face risk of remote code execution attacks that could lead to data exfiltration, ransomware deployment, lateral movement, or persistent compromise. UPnP is commonly enabled on networked systems, including enterprise infrastructure, increasing the potential attack surface. Successful exploitation could result in regulatory violations (HIPAA, PCI-DSS, SOC 2), operational disruption, and breach notification obligations. The vulnerability is particularly concerning for organizations with internet-facing systems or those in shared network environments where UPnP traffic may be reachable from untrusted sources.
Affected systems
The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, and 22H2) and Windows 11 (versions 23H2, 24H2, 25H2, and 26H1), as well as Windows Server 2012, 2016, 2019, 2022, and 2025. Essentially, all currently supported and extended-support Windows versions carry this risk. The broad scope of affected versions reflects the fundamental nature of the flaw in the core UPnP subsystem, which has remained largely unchanged across these releases.
Exploitability
Exploitation requires network access and intermediate technical complexity, but no user interaction or authentication. The attack can be delivered remotely, making it suitable for mass scanning and targeting. While the CVSS vector indicates high complexity (AC:H), this typically reflects mitigation factors such as environment-specific conditions or exploitation constraints rather than ease of weaponization. The absence of a public exploit at the time of publication does not reduce the practical risk, particularly given the high-value target (system code execution) and broad affected install base.
Remediation
Apply security updates from Microsoft that address the type confusion and use-after-free conditions in upnp.dll. Verify against the vendor advisory for specific patch versions applicable to your Windows version. Organizations unable to patch immediately should consider disabling or restricting UPnP traffic at the network perimeter, particularly for systems not requiring UPnP functionality. This can be accomplished through firewall rules blocking UDP port 1900 and TCP ports 49152–65535 (UPnP range) from untrusted networks.
Patch guidance
Consult the Microsoft Security Update Guide for the specific KB articles and patch versions corresponding to your affected Windows version. Given the publication date of June 9, 2026, and modification date of July 9, 2026, priority should be given to deploying patches in the subsequent Microsoft monthly update cycle. Plan patching in phases: critical internet-facing systems and servers first, then client systems, then legacy extended-support systems. Validate patch deployment through endpoint management tools and WSUS if applicable. Test patches in a controlled environment before production rollout to mitigate compatibility risks.
Detection guidance
Monitor network traffic for UPnP requests (UDP port 1900) from unexpected or untrusted sources. Implement intrusion detection signatures targeting malformed UPnP packets or type-confusion payloads in the M-SEARCH discovery protocol. Enable process monitoring and code execution alerts on systems running upnp.dll (typically svchost.exe -k LocalService). Log Windows Defender/WDEG detections and system call anomalies indicative of memory corruption exploitation. Correlate UPnP service crashes or restarts with suspicious network activity to identify exploitation attempts. Organizations with advanced endpoint detection and response (EDR) solutions should review behavioral heuristics for heap corruption and privilege escalation patterns.
Why prioritize this
This vulnerability merits immediate prioritization due to its HIGH CVSS severity score, network-exploitable attack vector, lack of authentication requirement, and impact on a core operating system component present across the entire Windows ecosystem. The type confusion and use-after-free combination suggests reliable exploitation potential despite the noted complexity factors. Organizations with broad Windows deployments, especially those with internet-facing assets or systems in DMZs, should treat this as a P1 remediation candidate. The long support tail of affected versions (including Windows Server 2012) compounds the urgency for legacy environment owners.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects: network-based attack vector (AV:N) with no requirement for authentication (PR:N) or user interaction (UI:N), yielding broad attack surface; high impact across confidentiality, integrity, and availability (C:H/I:H/A:H) due to arbitrary code execution as a system service; unchanged scope (S:U) indicating impact confined to the vulnerable component; and medium attack complexity (AC:H), which mitigates an otherwise critical score. The score appropriately emphasizes the practical risk while acknowledging exploitation barriers. This is a workable but serious vulnerability that justifies rapid patch deployment and compensating controls.
Frequently asked questions
Is this vulnerability actively exploited in the wild?
As of the publication and modification dates (June–July 2026), there is no confirmed evidence of active exploitation or public proof-of-concept code. However, the network-exploitable nature and broad affected install base make it an attractive target for adversaries. Organizations should not assume a grace period and should prioritize patching accordingly.
Can UPnP be safely disabled on enterprise systems?
Many enterprise systems do not require UPnP functionality. Disabling the UPnP Device Host service (upnphost) and blocking UPnP traffic at the firewall can significantly reduce risk while patches are staged. However, verify that no business-critical applications or IoT integrations depend on UPnP before disabling it organization-wide.
Does this vulnerability affect systems with UPnP disabled by default?
Systems with UPnP explicitly disabled are not directly vulnerable to network-based exploitation of this flaw. However, UPnP may be re-enabled through policy changes, user action, or application installation. Ensure UPnP remains disabled through Group Policy (if applicable) and periodic audits to maintain this protection posture.
What is the difference between use-after-free (CWE-416) and type confusion (CWE-843) in this context?
Type confusion (CWE-843) describes the root cause—improper handling of incompatible data types in UPnP requests. Use-after-free (CWE-416) likely describes the memory safety consequence: corrupted type handling can lead to freed memory being accessed, triggering code execution. Together, these weaknesses create a complete exploitation chain from malformed input to privilege escalation.
This analysis is based on publicly available information from the CVE record and Microsoft security advisories as of the publication and modification dates provided. Patch version numbers, specific KB articles, and detailed vendor guidance should be verified against official Microsoft Security Update documentation before deployment. This explainer does not constitute security advice; organizations should conduct their own risk assessment and testing prior to implementing any remediation. The absence of current exploitation reports does not guarantee future non-exploitation. All system changes, including patching and service disablement, should be tested in controlled environments and aligned with organizational change management policies. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability