CVE-2026-58538 is a Windows Bluetooth Service elevation of privilege vulnerability caused by a heap-based buffer overflow. Microsoft rates it CVSS v3.1 7.8 (High) with a temporal score of 6.8. The vector is local-only, requires low privileges, and no user interaction. If exploited, it can impact confidentiality, integrity, and availability at a high level. Microsoft reports no public disclosure and no known exploitation; exploit code maturity is unproven. Because the attack is local rather than network-based, enterprise risk is mainly limited to systems where an attacker can already obtain local access. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN - Impact: Elevation of Privilege with HIGH confidentiality, HIGH integrity, and HIGH availability impacts - Exploitation likelihood: Exploitation Less Likely; local attack vector, LOW attack complexity, LOW privileges required, and NO user interaction - Severity for enterprise: High severity by CVSS, but lower exposure risk than remote vulnerabilities because exploitation requires local access on the affected host - Patch status: available; customer action required Affected systems: - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2019 - Windows Server 2022 - Windows Server 2025