CVE-2026-50666 is a Windows Remote Access elevation of privilege vulnerability caused by a use-after-free condition. Microsoft rates it High severity with a CVSS v3.1 base score of 8.8 and a temporal score of 7.7. The vector is network-based (AV:N), with low attack complexity, low required privileges, and no user interaction. If exploited, an attacker could gain SYSTEM privileges. Microsoft reports no public disclosure and no known exploitation, with exploit code maturity listed as UNPROVEN. Because this is network-reachable and does not require user interaction, it is relevant for enterprise environments, especially where affected Windows systems expose remote access components. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality HIGH, integrity HIGH, availability HIGH; successful exploitation could grant SYSTEM privileges. - Exploitation likelihood: Exploitation Less Likely; vector context is NETWORK, LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High. The network vector and no user interaction increase concern for exposed systems, but current disclosure/exploitation status suggests lower immediate risk than actively exploited issues. - Patch status: available; customer action required. Affected systems: - Windows 10 1607 - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server 2025