CVE-2026-45599: Windows 10 1607 Use-After-Free Vulnerability

CVE-2026-45599 Overview

CVE-2026-45599 is a use-after-free vulnerability in the Windows Universal Plug and Play (UPnP) component upnp.dll. The flaw allows an unauthenticated remote attacker to execute arbitrary code over a network by triggering reuse of freed memory in the UPnP service. Microsoft has confirmed the issue affects a broad range of supported Windows client and server editions, including Windows 10, Windows 11, and Windows Server 2012 through 2025. The vulnerability is tracked under [CWE-416] (Use After Free) and is documented in the Microsoft CVE-2026-45599 Advisory.

Critical Impact

An unauthenticated network attacker can achieve remote code execution against Windows hosts exposing the UPnP service, potentially leading to full system compromise.

Affected Products

• Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64
• Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64
• Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025

Discovery Timeline

• 2026-06-09 - CVE-2026-45599 published to NVD
• 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-45599

Vulnerability Analysis

The vulnerability resides in upnp.dll, the Windows library implementing the Universal Plug and Play protocol stack. UPnP enables network devices to discover each other and establish services without manual configuration, and the affected library parses SSDP and SOAP messages received over the network. A use-after-free condition occurs when the component releases a memory object but retains a reference that is later dereferenced during subsequent message processing. An attacker who controls the timing and content of crafted UPnP traffic can manipulate the freed allocation, replace it with attacker-controlled data, and redirect execution flow when the dangling pointer is used. Successful exploitation yields arbitrary code execution in the context of the vulnerable service.

Root Cause

The root cause is improper object lifetime management within upnp.dll, classified as [CWE-416]. A code path frees a heap-allocated structure without invalidating all references to it, allowing the same memory region to be reallocated and then accessed through the stale pointer. This produces type confusion or controlled-pointer dereference depending on the reuse pattern.

Attack Vector

Exploitation requires no authentication and no user interaction. An attacker sends specially crafted UPnP protocol messages to a target host where the UPnP service processes network input. The high attack complexity reflects the need to win a memory reuse race and place controlled data into the freed allocation before the dangling reference is dereferenced. Hosts exposing UPnP to untrusted networks or to compromised devices on the local segment are at greatest risk.

No verified public proof-of-concept code is available at the time of writing. Refer to the Microsoft CVE-2026-45599 Advisory for technical details.

Detection Methods for CVE-2026-45599

Indicators of Compromise

• Unexpected crashes, restarts, or access violations in the SSDPSRV or upnphost services, often visible in Windows Event Log under Application Error events referencing upnp.dll.
• Anomalous inbound UPnP/SSDP traffic on UDP port 1900 or HTTP SOAP requests to UPnP control endpoints from unexpected sources.
• Child processes spawned by svchost.exe hosting UPnP services, particularly command interpreters or scripting engines.

Detection Strategies

• Monitor for malformed SSDP M-SEARCH, NOTIFY, or SOAP control messages that deviate from RFC-compliant UPnP traffic patterns.
• Apply behavioral identification to flag exploitation primitives such as heap spraying, ROP gadget execution, or unusual memory allocations within UPnP service processes.
• Correlate crash telemetry from upnp.dll with subsequent process creation or network egress events to surface post-exploitation activity.

Monitoring Recommendations

• Enable Windows Defender Exploit Guard and Attack Surface Reduction rules covering child-process creation from service host processes.
• Forward Sysmon Event IDs 1, 3, 7, and 11 from systems running UPnP services to a central logging platform for retrospective hunting.
• Inspect perimeter and east-west traffic for UPnP traffic that originates outside the local broadcast domain, which is anomalous for legitimate use.

How to Mitigate CVE-2026-45599

Immediate Actions Required

• Apply the Microsoft security updates referenced in the Microsoft CVE-2026-45599 Advisory to all affected Windows client and server builds.
• Inventory hosts exposing UPnP and prioritize patching for internet-facing or DMZ systems first.
• Block inbound UDP port 1900 and UPnP control ports at the network perimeter and between untrusted VLANs.

Patch Information

Microsoft has issued cumulative security updates addressing the use-after-free in upnp.dll for all supported Windows 10, Windows 11, and Windows Server versions listed above. Patch identifiers and KB numbers for each affected SKU are published in the Microsoft CVE-2026-45599 Advisory. Administrators should validate that the corresponding KB is installed and that affected services restart after deployment.

Workarounds

• Disable the SSDP Discovery service (SSDPSRV) and the UPnP Device Host service (upnphost) on systems that do not require UPnP functionality.
• Restrict UPnP traffic to trusted network segments using host-based firewall rules and group policy.
• Segment IoT and consumer devices from corporate endpoints to limit attacker pivot opportunities.

# Disable UPnP-related services on Windows hosts that do not require them
sc.exe config SSDPSRV start= disabled
sc.exe stop SSDPSRV
sc.exe config upnphost start= disabled
sc.exe stop upnphost

# Block inbound SSDP traffic at the host firewall
netsh advfirewall firewall add rule name="Block SSDP UDP 1900" dir=in action=block protocol=UDP localport=1900