CVE-2026-50688 is a Windows Win32k elevation of privilege vulnerability caused by a use-after-free issue. Microsoft rates it as High severity with a CVSS v3.1 base score of 7.8 and temporal score of 6.8. The attack vector is local, requires low privileges, no user interaction, and has changed scope with high confidentiality, integrity, and availability impact. Microsoft says exploitation is not publicly disclosed and not known to be exploited, but rates exploitation as more likely. If successfully exploited, an attacker could gain SYSTEM privileges. Enterprise risk is mainly to systems where local code execution or untrusted local users are a concern, rather than network-facing services. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH; successful exploitation could grant SYSTEM privileges. - Exploitation likelihood: Exploitation More Likely; the vector is LOCAL, with LOW privileges required, HIGH attack complexity, and NO user interaction. - Severity for enterprise: High technical severity, but risk is primarily for local attack paths and systems where local access or untrusted users/code are present; it is not a network-exposed, no-interaction remote attack. - Patch status: available; customer action is required. Affected systems: - Windows 10 1607, 1809, 21H2, 22H2 - Windows 11 24H2, 25H2, 26H1, unspecified - Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025