CVE-2026-50438 is a Microsoft PC Manager elevation of privilege vulnerability caused by improper link resolution before file access (“link following”). It has a CVSS v3.1 base score of 8.8 and temporal score of 7.7, with a LOCAL attack vector, LOW attack complexity, LOW privileges required, and no user interaction. The scope is changed and the impact is high for confidentiality, integrity, and availability. Microsoft indicates the issue is not publicly disclosed and has not been exploited, with exploit code maturity marked UNPROVEN. Because this is a local elevation-of-privilege issue, enterprise risk is primarily on systems where attackers can obtain local execution or low-privileged access. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality HIGH, integrity HIGH, availability HIGH. - Exploitation likelihood: Exploitation Less Likely; local vector, LOW attack complexity, LOW privileges required, and no user interaction. - Severity for enterprise: High severity by CVSS, but risk is lower than network-exposed vulnerabilities because exploitation requires local access. Enterprise concern is greatest on endpoints or shared systems where a low-privileged attacker could run code locally. - Patch status: available; customer action required. Affected systems: - Microsoft PC Manager