HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45635Published Modified CNA microsoft

CVE-2026-45635: Windows UPnP Device Host Remote Code Execution Vulnerability

Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
6.2.9200.26132
Affected Products
20

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free in the Windows UPnP Device Host service (upnp.dll) allows a remote, unauthenticated attacker to execute arbitrary code on affected Windows systems over the network. The vulnerability is reachable without any credentials and requires no user interaction, though exploitation involves meaningful technical complexity due to memory layout requirements. Successful exploitation gives the attacker full control over the affected host, including the ability to read, modify, or destroy data and disrupt running services. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows-based container images.

HarborGuard Coverage

Detection

Detection of CVE-2026-45635 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built Windows container images. Coverage extends to any image whose base layer or installed components fall within the affected version ranges listed in the advisory.

Available
Triage

HarborGuard scores this CVE at 8.1 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to determine escalation priority. Triage findings are routable to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

Patched-image rebuilds pinned to the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and their counterparts for Windows 11 releases) are available on HarborGuard for environments running affected image versions. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the UPnP Device Host service over the network; no local access or physical presence is required.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable code path is exposed to unauthenticated network requests.

  • Victim interactionNot required

    Exploitation is fully silent and requires no action from any user on the target system.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must overcome memory layout constraints or timing conditions inherent in triggering the use-after-free reliably.

Blast Radius

  • A successful attacker executes arbitrary code in the context of the UPnP Device Host service, gaining a foothold on the host.
  • With code execution established, the attacker reads files and in-memory secrets accessible to the service account, including stored credentials or session data.
  • The attacker modifies or deletes files and registry entries reachable by the compromised process, enabling persistence or sabotage of host configuration.
  • The attacker terminates or destabilizes the UPnP service and any dependent services, causing a loss of availability for those components.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-45635 activates automatically for any scanned image matching the affected Windows version ranges, with no configuration required. Where compliance policy permits, HarborGuard rebuilds affected images at the patched OS versions and, for customers who opt into auto-remediation, opens a pull request against affected workloads with a regression run attached; for high-severity issues like this one, the median time from CVE publication to merged patch PR is around 90 minutes in auto-remediation-enabled environments. For customers who cannot immediately apply the patch (for example, due to change-freeze windows), compensating controls worth considering include isolating UPnP-exposing workloads behind network policy rules that block unsolicited inbound traffic on UPnP ports (TCP/UDP 1900 and related ephemeral ports), and disabling the UPnP Device Host service via image configuration if it is not required by the workload. HarborGuard continues to monitor the advisory each ingest cycle and will surface any revised scoring or additional affected-version disclosures as they are published by Microsoft.

See how HarborGuard automates this

Fix available

6.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1607
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2012
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 (Server Core installation)
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 R2
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2012 R2 (Server Core installation)
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References