CVE-2026-50512: Microsoft PC Manager Elevation of Privilege Vulnerability
Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 3.21.6.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A link-following vulnerability (also called a symlink or junction attack) in Microsoft PC Manager allows a local attacker to elevate their privileges on the affected machine. The attacker must already have a low-privilege account on the system and does not need network access or any help from another user. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. A patched-image rebuild at version 3.21.6.0 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Microsoft PC Manager below version 3.21.6.0.
AvailableHarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and is capable of weighting that score against each customer organization's compliance policy to determine urgency tier and route findings to the appropriate team inbox.
AvailableA patched-image rebuild at Microsoft PC Manager version 3.21.6.0 becomes available through HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to trigger the vulnerability.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials before exploitation.
- Victim interactionNot required
No other user needs to take any action; the attacker can execute the attack entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or unusual environmental factors.
Blast Radius
- A successful attacker reads protected files, credentials, and application data belonging to other users or the system.
- A successful attacker writes to or replaces protected files, enabling persistent backdoors or corruption of system state.
- A successful attacker can crash or disable the affected service or the host operating system, causing a loss of availability.
- Because all three impact dimensions are HIGH, a single exploitation event can yield full local system compromise in one step.
How HarborGuard Handles This
Available on HarborGuard: images containing Microsoft PC Manager below version 3.21.6.0 are flagged automatically as new scan results arrive. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 3.21.6.0, runs a regression test, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before merging, the finding is routed to the designated team inbox with full CVSS context attached. Because this is a local privilege escalation with no network component, customers who cannot immediately patch should consider restricting which container images are permitted to run with elevated host privileges as a compensating control.
- Microsoft / Microsoft PC Manager< 3.21.6.0 (from 1.0.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C