Cyber Posture

CVE-2026-27916

High

Published: 14 April 2026

Published
14 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27916 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the use-after-free vulnerability in Windows UPnP Device Host through timely identification, reporting, and patching as specified in Microsoft's update guide.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms such as address space randomization and non-executable memory to directly prevent exploitation of the use-after-free flaw.

CM-7 Least Functionality partial match
prevent

Restricts unnecessary UPnP Device Host functionality to reduce the attack surface for local privilege escalation via this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local use-after-free in Windows UPnP Device Host enables privilege escalation from low-privileged account with no user interaction, directly matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-27916 is a use-after-free vulnerability (CWE-416) in the Windows Universal Plug and Play (UPnP) Device Host. This flaw affects Windows systems and was published on 2026-04-14 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by an authorized local attacker who already has low-level privileges on the target system. Exploitation requires low complexity and no user interaction, allowing the attacker to elevate privileges locally and achieve high impacts on confidentiality, integrity, and availability.

Microsoft's update guide provides details on mitigation and patching for this vulnerability, available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27916.

Details

CWE(s)
CWE-416

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.9060 · ≤ 10.0.14393.9060
microsoft
windows 10 1809
≤ 10.0.17763.8644 · ≤ 10.0.17763.8644
microsoft
windows 10 21h2
≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184
microsoft
windows 10 22h2
≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184
microsoft
windows 11 23h2
≤ 10.0.22631.6936 · ≤ 10.0.22631.6936
microsoft
windows 11 24h2
≤ 10.0.26100.8246 · ≤ 10.0.26100.8246
microsoft
windows 11 25h2
≤ 10.0.26200.8246 · ≤ 10.0.26200.8246
microsoft
windows 11 26h1
≤ 10.0.28000.1836 · ≤ 10.0.28000.1836
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.9060
+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-27915Same product: Microsoft Windows 10 1607
CVE-2026-32156Same product: Microsoft Windows 10 1607
CVE-2026-27909Same product: Microsoft Windows 10 1607
CVE-2026-27923Same product: Microsoft Windows 10 1607
CVE-2026-24289Same product: Microsoft Windows 10 1607
CVE-2026-33098Same product: Microsoft Windows 10 1607
CVE-2026-20822Same product: Microsoft Windows 10 1607
CVE-2026-24292Same product: Microsoft Windows 10 1809
CVE-2026-32078Same product: Microsoft Windows 10 1809
CVE-2026-23669Same product: Microsoft Windows 10 1607

References