HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50511Published Modified CNA microsoft

CVE-2026-50511: Microsoft PC Manager Elevation of Privilege Vulnerability

Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
3.21.6.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A link-following vulnerability (also called a symlink or junction attack) in Microsoft PC Manager allows a locally authenticated attacker to elevate their privileges on the affected machine. The attacker must already have a low-privilege account on the host; no network access or user interaction is required. Successful exploitation gives the attacker full read, write, and execution capabilities at a higher privilege level, effectively taking control of the system. A patched-image rebuild at version 3.21.6.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-50511 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed ingestion, including custom-built images that bundle Microsoft PC Manager. Coverage applies to any image layer where an affected version (below 3.21.6.0) is present.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to reflect actual organizational risk tolerance. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Microsoft PC Manager version 3.21.6.0 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard is capable of triggering the rebuild, running a regression test suite against it, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative credentials to begin the attack.

  • Victim interactionNot required

    No user action such as clicking a link or opening a file is needed; the attacker can execute the exploit entirely on their own.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or specific memory-layout requirements to satisfy.

Blast Radius

  • A successful attacker reads files and data protected by higher-privilege accounts, including credentials and configuration secrets stored on the host.
  • The attacker writes or overwrites files anywhere on the filesystem accessible to the elevated privilege level, including system binaries and configuration.
  • The attacker executes arbitrary code at elevated privilege, enabling persistence mechanisms such as scheduled tasks or service installations.
  • All three impacts (confidentiality, integrity, and availability) are rated High in the CVSS vector, meaning the attacker can also disrupt or crash system services after privilege escalation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50511 is active across all connected registries and pipelines, matching images that bundle Microsoft PC Manager below version 3.21.6.0. A patched rebuild at version 3.21.6.0 is available the moment an affected image is identified. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the fixed version, run a regression test pass, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with fix-version detail so engineers can act manually. Because this is a local privilege escalation rather than a remotely reachable flaw, customers should also consider reviewing which container workloads run Microsoft PC Manager with access to the host filesystem, as reducing that surface limits the conditions an attacker would need to exploit this vulnerability.

See how HarborGuard automates this

Fix available

3.21.6.0
Patch commits
Affected packages
  • Microsoft / Microsoft PC Manager
    < 3.21.6.0 (from 1.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References