CVE-2026-45599: Windows UPnP Device Host Remote Code Execution Vulnerability
Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Windows UPnP Device Host service (upnp.dll) allows a remote, unauthenticated attacker to execute arbitrary code on affected systems over the network. The exploit is reachable without any credentials and requires no user interaction, though successful exploitation depends on meeting specific timing or environmental conditions due to the high attack complexity rating. Successful exploitation gives the attacker full control, enabling arbitrary code execution with the privileges of the UPnP service process. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection of CVE-2026-45599 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. Coverage extends to custom-built images that bundle Windows base layers, not just images pulled from public repositories.
AvailableHarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting that score against each customer organization's compliance policy to determine urgency and routing. Triage findings are routable to the appropriate team inbox within each customer org based on configured ownership rules.
AvailablePatched-image rebuilds at the applicable fix versions (including 10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and the corresponding Windows 11 builds) are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the UPnP Device Host service over the network; any system exposing upnp.dll to network traffic is in scope.
- AuthenticationNot required
No credentials or account of any kind are needed; the vulnerability is exploitable by an unauthenticated attacker.
- Victim interactionNot required
The attacker does not need to trick or wait for any user to take an action; exploitation is entirely attacker-driven.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account for race conditions, specific memory layout states, or other environmental factors that are not fully within their control.
Blast Radius
- A successful attacker executes arbitrary code in the context of the UPnP Device Host process, potentially gaining a foothold on the host.
- Confidentiality is fully compromised: the attacker can read memory, credentials, tokens, or any data accessible to the service process.
- Integrity is fully compromised: the attacker can write or modify files, registry keys, and in-memory state accessible to the process.
- Availability is fully compromised: the attacker can crash the service or, with elevated privilege escalation steps, disrupt the broader system.
How HarborGuard Handles This
Available on HarborGuard: detection of this CVE is matched against customer images within minutes of feed ingestion, covering both public Windows base images and custom-built layers. For environments running an affected Windows version, a patched-image rebuild at the relevant fix version is available. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes a regression test run, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Customers who have not enabled auto-remediation will see the CVE flagged in their scan results with fix-version details so they can initiate a manual rebuild. Because this is a network-reachable, unauthenticated vulnerability with a CVSS score of 8.1, customers are advised to prioritize patching promptly and, where a rebuild is not yet deployed, to consider network-policy controls that restrict access to the UPnP Device Host port from untrusted network segments.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C