Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.8

Microsoft QUIC: Unauthorized Privilege Elevation Over Network

GHSA-gvvw-8j96-8g5r CVE-2026-32179
Summary

An attacker can exploit a weakness in Microsoft QUIC to gain elevated privileges over a network. This affects how Microsoft QUIC handles certain types of data it receives. To protect your system, apply the latest patch and ensure you have the most up-to-date version of Microsoft QUIC.

What to do
  • Update microsoft.native.quic.msquic.openssl to version 2.5.7.
  • Update microsoft.native.quic.msquic.schannel to version 2.5.7.
  • Update microsoft.native.quic.msquic.schannel to version 2.4.18.
  • Update microsoft.native.quic.msquic.openssl to version 2.4.18.
Affected software
Ecosystem VendorProductAffected versions
nuget microsoft.native.quic.msquic.openssl >= 2.5.0-ci.532574, < 2.5.7
< 2.4.18
Fix: upgrade to 2.5.7
nuget microsoft.native.quic.msquic.schannel >= 2.5.0-ci.532574, < 2.5.7
< 2.4.18
Fix: upgrade to 2.5.7
Original title
MsQuic has a Remote Elevation of Privilege Vulnerability
Original description
### Summary
Improper input validation in Microsoft QUIC allows an unauthorized attacker to elevate privileges over a network.

### Details
Improper Input Validation Integer Underflow (Wrap or Wraparound) when decoding ACK frame.

#### Patches
- Fix underflow in ACK frame parsing - 1e6e999b

### Impact
An attacker who successfully exploited this vulnerability could gain elevated privileges.

### MSRC CVE Info
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32179
ghsa CVSS3.1 9.8
Vulnerability type
CWE-191
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026