CVE-2026-27920 Overview
CVE-2026-27920 is a local privilege escalation vulnerability in the Windows Universal Plug and Play (UPnP) Device Host service. The flaw stems from an untrusted pointer dereference [CWE-822] that allows an authorized local attacker to execute code with elevated privileges. Microsoft published the advisory on April 14, 2026, with the entry last modified on April 22, 2026.
The vulnerability affects a broad set of Windows client and server releases, including Windows 10, Windows 11, and Windows Server editions from 2012 through 2025. Successful exploitation compromises confidentiality, integrity, and availability on the targeted host.
Critical Impact
An authenticated local attacker can dereference an untrusted pointer in the UPnP Device Host to gain SYSTEM-level privileges, enabling full host compromise.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64 builds
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) on x64 and ARM64
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-04-14 - CVE-2026-27920 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-27920
Vulnerability Analysis
The Universal Plug and Play (UPnP) Device Host service (upnphost) brokers device discovery and control messages on Windows systems. CVE-2026-27920 is classified under [CWE-822] Untrusted Pointer Dereference, indicating the service reads a pointer value from a source that an attacker can influence and dereferences it without validation.
When the service operates on the attacker-controlled pointer, the resulting memory access occurs in the context of a privileged process. This grants the attacker the ability to redirect execution or corrupt kernel-accessible structures, leading to privilege elevation from a low-privilege account to SYSTEM.
The attack requires local access and low-privileged authentication. No user interaction is necessary, and the scope remains unchanged, meaning the impact is confined to the vulnerable component's security authority.
Root Cause
The underlying defect is the use of a pointer value that originates from untrusted input without verifying that it references a valid, expected memory region. The UPnP Device Host service trusts the pointer and performs a read or write through it, allowing the attacker to direct the dereference to memory of their choosing.
Attack Vector
An attacker with valid local credentials interacts with the UPnP Device Host service through its exposed interfaces. By submitting crafted input that influences a pointer value consumed by the service, the attacker triggers the dereference and pivots into code execution at the privilege level of the service. The vulnerability mechanism is described in prose only; no public proof-of-concept exploit code is referenced in the Microsoft Security Update CVE-2026-27920 advisory.
Detection Methods for CVE-2026-27920
Indicators of Compromise
- Unexpected crashes or restarts of the upnphost service recorded in the System event log
- New child processes spawned by svchost.exe hosting the UPnP Device Host service running as SYSTEM
- Local user accounts performing privilege-sensitive actions shortly after interacting with UPnP endpoints
Detection Strategies
- Monitor for access violations and faulting modules associated with upnphost.dll in Windows Error Reporting telemetry
- Alert on process creation events where the parent is the UPnP Device Host service and the child executes interactive shells, scripting hosts, or LOLBins
- Correlate local logon events with subsequent token elevation or service manipulation actions on the same host
Monitoring Recommendations
- Enable Sysmon process creation, image load, and process access logging on endpoints that run the UPnP Device Host service
- Forward Windows Security and System event logs to a centralized SIEM for correlation and retention
- Track installation status of Microsoft's April 2026 security updates across the fleet to identify unpatched hosts
How to Mitigate CVE-2026-27920
Immediate Actions Required
- Apply the April 2026 Microsoft security updates referenced in the Microsoft Security Update CVE-2026-27920 advisory to all affected Windows and Windows Server systems
- Audit which hosts have the UPnP Device Host service enabled and prioritize patching on those systems
- Restrict local logon rights so only required administrative accounts can authenticate to servers and workstations
Patch Information
Microsoft has released security updates that address CVE-2026-27920 for all supported Windows 10, Windows 11, and Windows Server versions listed in the advisory. Refer to the Microsoft Security Update CVE-2026-27920 page for the specific KB articles applicable to each operating system build and architecture.
Workarounds
- Disable the UPnP Device Host service (upnphost) on systems that do not require UPnP functionality
- Use Group Policy or endpoint management tooling to enforce least-privilege local account configurations
- Segment workstations and servers so that compromise of one local account cannot pivot laterally to additional hosts
# Disable the UPnP Device Host service on systems that do not need it
sc.exe config upnphost start= disabled
sc.exe stop upnphost
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
