Cyber Resilience

CVE-2026-27916

High

Published: 14 April 2026

Published
14 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27916 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27916 is a use-after-free vulnerability (CWE-416) in the Windows Universal Plug and Play (UPnP) Device Host. This flaw affects Windows systems and was published on 2026-04-14 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by an authorized local attacker who already has low-level privileges on the target system. Exploitation requires low complexity and no user interaction, allowing the attacker to elevate privileges locally and achieve high impacts on confidentiality, integrity, and availability.

Microsoft's update guide provides details on mitigation and patching for this vulnerability, available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27916.

EU & UK References

Vulnerability details

Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in Windows UPnP Device Host enables privilege escalation from low-privileged account with no user interaction, directly matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34338Same product: Microsoft Windows 10 1607
CVE-2026-40382Same product: Microsoft Windows 10 1607
CVE-2026-27923Same product: Microsoft Windows 10 1607
CVE-2026-32156Same product: Microsoft Windows 10 1607
CVE-2026-27915Same product: Microsoft Windows 10 1607
CVE-2026-40408Same product: Microsoft Windows 10 1607
CVE-2026-24289Same product: Microsoft Windows 10 1607
CVE-2026-27909Same product: Microsoft Windows 10 1607
CVE-2026-33098Same product: Microsoft Windows 10 1607
CVE-2026-20822Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.9060 · ≤ 10.0.14393.9060
microsoft
windows 10 1809
≤ 10.0.17763.8644 · ≤ 10.0.17763.8644
microsoft
windows 10 21h2
≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184
microsoft
windows 10 22h2
≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184
microsoft
windows 11 23h2
≤ 10.0.22631.6936 · ≤ 10.0.22631.6936
microsoft
windows 11 24h2
≤ 10.0.26100.8246 · ≤ 10.0.26100.8246
microsoft
windows 11 25h2
≤ 10.0.26200.8246 · ≤ 10.0.26200.8246
microsoft
windows 11 26h1
≤ 10.0.28000.1836 · ≤ 10.0.28000.1836
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.9060
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in Windows UPnP Device Host through timely identification, reporting, and patching as specified in Microsoft's update guide.

prevent

Implements memory protection mechanisms such as address space randomization and non-executable memory to directly prevent exploitation of the use-after-free flaw.

prevent

Restricts unnecessary UPnP Device Host functionality to reduce the attack surface for local privilege escalation via this vulnerability.

References