CVE-2026-50687 is a Windows Win32k use-after-free elevation of privilege vulnerability. Microsoft rates it High severity with a CVSS v3.1 base score of 8.8 and temporal score of 7.7. The attack vector is LOCAL, attack complexity is LOW, privileges required are LOW, and user interaction is NONE; scope is CHANGED and the impact is high for confidentiality, integrity, and availability. Microsoft says it is not publicly disclosed and not exploited, with exploit code maturity UNPROVEN. In enterprise terms, this is a high-severity local privilege escalation issue that is more relevant to systems where an attacker can obtain low-privilege local access. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality HIGH, integrity HIGH, availability HIGH. - Exploitation likelihood: Latest Software Release: Exploitation Less Likely; local vector with LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High due to SYSTEM-level privilege escalation potential, but risk is limited to local compromise paths rather than network-exposed attack surface. - Patch status: available; customer action required. Affected systems: - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2025