CVE-2026-50486 is a Windows Runtime Elevation of Privilege vulnerability caused by a use-after-free condition. Microsoft rates it as CVSS v3.1 7.8 High with a temporal score of 6.8; the vector is local, low attack complexity, low privileges required, no user interaction, and unchanged scope, with high confidentiality, integrity, and availability impact. Microsoft states there is no public disclosure and no known exploitation, and exploit code maturity is unproven. If successfully exploited, an attacker could gain SYSTEM privileges. Because it is local-only rather than network-exploitable, enterprise risk is concentrated on systems where untrusted local code or users can run. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH; successful exploitation can grant SYSTEM privileges. - Exploitation likelihood: Not stated as "Exploitation More Likely" in the source data; local attack vector, LOW complexity, LOW privileges required, and no user interaction. - Severity for enterprise: High severity by CVSS, but lower exposure risk for internet-facing services because the attack is LOCAL. Higher concern for endpoints or multi-user Windows systems where local code execution by an attacker may be possible. - Patch status: available; customer action required. Affected systems: - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2025