CVE-2026-50673 is a Windows Kernel Elevation of Privilege vulnerability described as a NULL Pointer Dereference. It has a CVSS v3.1 base score of 7.8 and temporal score of 6.8, with a LOCAL attack vector, HIGH attack complexity, LOW privileges required, and no user interaction. The scope is changed and the impact is elevation of privilege, with HIGH confidentiality, integrity, and availability impacts. Microsoft reports no public disclosure and no known exploitation, and exploit code maturity is UNPROVEN. Enterprise risk is primarily for systems where a local attacker already has access, since this is not a network-exploitable issue. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH. Microsoft states a successful attacker could gain SYSTEM privileges. - Exploitation likelihood: Not stated as "Exploitation More Likely"; vector context is LOCAL with HIGH attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High severity, but risk is lower than network-facing vulnerabilities because exploitation requires local access. This is more relevant for endpoints, servers with untrusted local users, and multi-user Windows systems. - Patch status: available Affected systems: - Windows 10 1607 - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server 2025