CVE-2026-50480 is a Windows Web Proxy Auto-Discovery Protocol (WPAD) elevation of privilege vulnerability caused by a heap-based buffer overflow. Microsoft rates it at CVSS v3.1 base 7.8 and temporal 6.8, with a LOCAL attack vector, LOW attack complexity, LOW privileges required, and no user interaction. The impact is Elevation of Privilege with HIGH confidentiality, integrity, and availability impacts. Microsoft lists no public disclosure and no known exploitation; exploit code maturity is UNPROVEN. Because it requires local access, the enterprise risk is lower than for network-reachable vulnerabilities, but it is still significant on systems where attackers can obtain local execution or low-privilege access. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; LOCAL vector with LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High severity by CVSS, but real-world exposure is reduced by the local-only attack vector; highest relevance is on internal Windows hosts where a local attacker or low-privilege foothold may exist. - Patch status: available; customer action required. Affected systems: - Windows 10 1607 - Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016