Use-after-free in Universal Plug and Play (upnp.dll) enables an unauthenticated attacker to send crafted network traffic to a Windows system and execute arbitrary code. The vulnerability is a memory corruption weakness (CWE-416) that can run with the privileges of the UPnP Device Host service and may allow the attacker to take full control of the host because no further privilege escalation is required.

Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 – including core installations – are all affected. The flaw exists in the upnp.dll component present in all these builds.

The CVSS score of 8.1 marks this as a high‑severity flaw, and while the EPSS score is not available, the lack of public exploit code does not eliminate the risk of an attacker crafting a payload. The vulnerability is not listed in the CISA KEV catalog, but due to the remote network nature and the potential for complete system compromise, it warrants immediate attention. Attackers would need to be connected to the local network or exploit remote UPnP traffic, and any host that exposes UPnP services without proper isolation is at risk.