CVE-2026-50392 – Windows Secure Kernel Mode Elevation of Privilege Vulnerability

CVSS 7 IMPORTANT Critical or Zero Day – Immediate Deployment

“When attackers turn a local foothold into SYSTEM-level control, the entire security boundary is at risk.”

A use-after-free vulnerability in Windows Secure Kernel Mode allows an authorized attacker to elevate privileges locally. By exploiting improper memory management, an attacker with low privileges could gain SYSTEM-level privileges, enabling complete control over the affected device. Although successful exploitation requires winning a race condition, the impact of a successful attack is severe and could lead to full system compromise.

CVSS Score: 7.0

SEVERITY: Critical

THREAT:
This vulnerability affects Windows Secure Kernel Mode and is caused by a use-after-free memory handling flaw. An attacker with low privileges who has local access to a vulnerable system could exploit the vulnerability to elevate privileges to SYSTEM. Once elevated, an attacker can bypass security boundaries, disable security controls, install malware, and access sensitive data.

EXPLOITS:
At the time of publication, the vulnerability was not publicly disclosed and was not being actively exploited. Microsoft assesses exploitation as Less Likely. The CVSS v3.1 temporal metrics indicate Exploit Code Maturity: Unproven, and there is no confirmed public proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by a use-after-free (CWE-416) condition in Windows Secure Kernel Mode. Improper memory management allows an authenticated attacker with low privileges to manipulate freed memory and elevate privileges. Microsoft notes that successful exploitation requires the attacker to win a race condition, which is reflected in the High Attack Complexity rating. According to the CVSS v3.1 metrics, exploitation requires a local attack vector, high attack complexity, low privileges, and no user interaction. A successful exploit could result in complete compromise of confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025, including Server Core installations. Exploitation requires local access and low privileges. No user interaction is required. A successful exploit could allow an attacker to obtain SYSTEM privileges.

BUSINESS IMPACT:
Privilege escalation vulnerabilities are frequently used after an attacker gains initial access to a system. Obtaining SYSTEM privileges allows attackers to disable security protections, execute malware with maximum privileges, steal sensitive information, establish persistence, and move laterally throughout an enterprise. Even though exploitation is considered less likely, the consequences of a successful attack are significant.

WORKAROUND:
No mitigations or workarounds are available. Apply the appropriate security update to affected systems.

URGENCY:
This update should be prioritized because it addresses a Critical elevation of privilege vulnerability that can grant SYSTEM privileges. While exploitation requires winning a race condition and Microsoft assesses exploitation as less likely, successful exploitation can completely compromise an affected system and enable further attacks across the environment.

Key Details

Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-416
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.