Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2026-32212 · Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.

Severity
Important
Impact
Information Disclosure
CVSS
5.5 base · 4.8 temporal
Release
2026-04-14
Signals
Universal Plug and Play (upnp.dll) Information Disclosure Exploited: No Publicly disclosed: No Exploitability: Exploitation Less Likely
CWE
CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-269: Improper Privilege Management
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
FAQ / Articles
Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability
Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
FAQ
What type of information could be disclosed by this vulnerability? This vulnerability could allow a local, non‑administrator attacker to read any files that are accessible to the UPnP Device Host Service, which runs under the LOCAL SERVICE account. This may include restricted system files or configuration data that the attacker would not normally be able to access. The specific information exposed depends on the files that the service is permitted to read.