CVE-2026-49800
Received Received - Intake

Integer Overflow in Windows WPAD Elevates Privileges

Vulnerability report for CVE-2026-49800, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Microsoft Corporation

Description

Integer overflow or wraparound in Windows Web Proxy Auto-Discovery Protocol (WPAD) allows an authorized attacker to elevate privileges locally.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft wpad *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

If exploited, this vulnerability can have serious consequences for affected systems and users.

  • An attacker with local access could elevate their privileges, potentially gaining administrative or SYSTEM-level control over the system.
  • With elevated privileges, the attacker could execute arbitrary code, install malware, or access sensitive data stored on the system.
  • The vulnerability could be used as part of a larger attack chain to compromise additional systems or networks.

The CVSS base score of 7.8 (High) indicates a significant risk, particularly in environments where local access is possible.

Compliance Impact

This vulnerability could impact compliance with several standards and regulations, depending on the context of its exploitation.

  • GDPR: If the vulnerability leads to unauthorized access to personal data, it could result in a breach of GDPR requirements, particularly Article 32 (security of processing) and Article 33 (notification of data breaches).
  • HIPAA: For organizations handling protected health information (PHI), exploitation of this vulnerability could lead to unauthorized access to PHI, violating the HIPAA Security Rule (45 CFR Part 164, Subpart C).
  • Other standards like ISO 27001 or NIST frameworks may also be affected, as they require organizations to maintain secure systems and protect against privilege escalation vulnerabilities.

Failure to patch or mitigate this vulnerability could result in non-compliance, potential fines, or legal consequences if it leads to a data breach or loss of system integrity.

Mitigation Strategies

Apply the security update provided by Microsoft to address the integer overflow or wraparound in the Windows Web Proxy Auto-Discovery Protocol (WPAD).

  • Visit the Microsoft Update Guide for CVE-2026-49800 to download and install the patch.
  • Ensure all systems running affected versions of Windows are updated promptly.
Executive Summary

CVE-2026-49800 is an integer overflow or wraparound vulnerability in the Windows Web Proxy Auto-Discovery Protocol (WPAD). This flaw allows an authorized attacker with local access to exploit the vulnerability and elevate their privileges on the affected system.

WPAD is a protocol used by systems to automatically locate and configure proxy settings. Due to the integer overflow or wraparound issue, an attacker could manipulate the protocol's behavior to gain higher privileges than intended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart