CVE-2026-58636 is a Microsoft PC Manager elevation of privilege vulnerability caused by improper link resolution before file access (“link following”). Microsoft says a successful exploit could grant SYSTEM privileges. The CVSS v3.1 base score is 7.8 (High) with a temporal score of 6.8; the vector is LOCAL, LOW attack complexity, LOW privileges required, and NO user interaction. Microsoft has not reported public disclosure or active exploitation, and exploit code maturity is UNPROVEN. Because this is a local privilege escalation issue, enterprise risk is mainly on systems where untrusted local code or users can execute. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH if exploited. Microsoft states an attacker could gain SYSTEM privileges. - Exploitation likelihood: Exploitation Less Likely; vector context is LOCAL with LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High on affected local Windows endpoints, but lower than network-reachable vulnerabilities because exploitation requires local access/conditions rather than remote access. - Patch status: available; customer action is required. Affected systems: - Microsoft PC Manager