CVE-2026-58547: Install July Updates to Fix Windows UPnP Privilege Escalation

Microsoft’s July 14, 2026 security updates fix CVE-2026-58547, an elevation-of-privilege vulnerability in Windows Universal Plug and Play Device Host. Administrators should deploy the month’s cumulative updates promptly: the flaw is a heap-based buffer overflow in upnp.dll that a logged-on, authorized attacker could use to gain higher privileges on the same machine.
Microsoft published the advisory on July 14 as part of its July 2026 Patch Tuesday release. The National Vulnerability Database, reflecting Microsoft’s CNA record, assigns the flaw a CVSS 3.1 score of 5.5, or Medium severity, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. That combination matters: this is not a wormable, unauthenticated network entry point, but a reliable local privilege-escalation opportunity can turn a limited foothold into a far more disruptive compromise.
Microsoft’s public description remains deliberately compact. The company identifies a heap-based buffer overflow in the Universal Plug and Play component and says exploitation requires local access plus existing low-level privileges. No public proof of concept, exploit code, or evidence of in-the-wild exploitation had been listed in the advisory data at publication.

Futuristic cybersecurity network protecting connected devices, servers, and data with glowing shields and locks.The immediate fix is the July cumulative update​

The patched builds documented by Microsoft and mirrored in NVD’s affected-product record include the following:
  • Windows 10 version 1809 and Windows Server 2019 are protected at OS Build 17763.9020 through KB5099538.
  • Windows 10 version 21H2 and version 22H2 are protected at OS Builds 19044.7548 and 19045.7548 through KB5099539, where those editions remain under Enterprise LTSC or Extended Security Updates coverage.
  • Windows 11 version 24H2 is protected at OS Build 26100.8875 through KB5101650; the same package also services Windows 11 version 25H2 on Build 26200.8870.
  • Windows 11 version 26H1 is protected at OS Build 28000.2525 through KB5101649.
  • Windows Server 2022 is protected at OS Build 20348.5386 through KB5099540.
For managed environments, the practical test is not whether a device has merely checked Windows Update. It is whether its reported build has reached the applicable July 14 level or a later cumulative update. Organizations using Windows Server Update Services, Microsoft Configuration Manager, Intune, or another patch-management platform should confirm that the relevant July security update was approved, deployed, installed, and rebooted where required.
Microsoft’s July update notes say the releases are distributed through Windows Update, Windows Update for Business, the Microsoft Update Catalog, and WSUS according to the product’s normal servicing channels. As usual for cumulative updates, a later supported monthly update also contains this fix.

Why UPnP Device Host still deserves attention​

UPnP is often associated with consumer networking equipment, media devices, and automatic device discovery, but Windows retains a broader Device Host framework. Microsoft’s developer documentation says the framework can manage discovery, description, control, presentation, and eventing for UPnP-based devices implemented on a Windows computer.
The vulnerable DLL, upnp.dll, is therefore part of an older but still-present Windows networking and device-services surface. Microsoft’s service-management documentation lists UPnP Device Host under the UPnPHost service name and identifies its default startup setting as Manual on current managed Windows editions. Manual is not the same thing as removed: a service can be activated when a dependent feature, application, or configuration invokes it.
The distinction is important for incident response. CVE-2026-58547 is classified as local, so simply blocking SSDP discovery traffic at a network boundary should not be treated as a substitute for patching. Segmentation and host firewalls remain sensible defense-in-depth controls, but the security boundary at issue is inside the endpoint after an attacker or malicious local process already has a foothold.
Microsoft’s Windows Server networking reference associates UPnP Device Host with TCP port 2869. That operational detail may help defenders inventory exposure and assess whether the service is being used, particularly on specialized systems. It does not change the vendor’s stated attack requirements for this CVE.

Medium severity does not mean low operational priority​

The CVSS score reflects a meaningful limitation: an attacker must already be authorized locally and have low privileges. This flaw does not appear to provide initial access by itself, and Microsoft has not indicated that user interaction is needed once the preconditions are met.
But the score also reflects a high availability impact. The published vector indicates no confidentiality or integrity impact in the base assessment, while availability is rated High. In practical terms, that makes the issue relevant to ransomware containment and post-compromise defense: attackers commonly chain a local escalation flaw after obtaining access through a phishing payload, exposed remote-access service, malicious installer, or compromised standard user account.
CISA’s SSVC data for the CVE currently characterizes exploitation as “none,” automation as “no,” and technical impact as “partial.” That is useful triage context, not a reason to defer the update indefinitely. The assessment means there is no confirmed public exploitation signal in the record and no indication that attacks are readily automatable; it does not mean the underlying buffer overflow is speculative.
The vulnerability’s existence and core technical mechanism are vendor-confirmed. What is not public is the precise triggering input, the affected code path, exploit reliability, and whether service configuration meaningfully changes exposure. Administrators should avoid assuming that disabling UPnP on a subset of endpoints eliminates the risk unless they have validated that mitigation against their own applications and configurations.

Patch first, then measure service dependency​

For most organizations, the remediation order is straightforward: deploy the July 14 cumulative update, validate installation, and then use the CVE as a prompt to review whether UPnP Device Host is required anywhere in the estate.
Systems with dedicated appliance-discovery, media-streaming, legacy device-management, or custom UPnP workloads may need a more careful review. Microsoft warns in its UPnP documentation that disabling the service can affect components dependent on it. That makes a blanket emergency disablement a poor default when a vendor-supplied security update is available.
A targeted inventory can still be useful. Security teams can identify machines where UPnPHost is running, determine whether the service is set to Automatic rather than Manual, inspect listening ports and relevant application dependencies, and look for unexpected local activity around the service. Those steps are risk-reduction and detection measures—not replacements for reaching the fixed build.
Microsoft’s July 2026 Windows updates also introduce a separate networking hardening change affecting unregistered third-party TDI transports. Teams should include that compatibility change in normal pilot-ring validation rather than treating CVE-2026-58547 as an isolated patch decision. The UPnP flaw itself has no documented workaround that offers the certainty of the cumulative update; the actionable milestone is getting affected clients and servers to their July 14, 2026 build or later.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top