CVE-2026-32179

CRITICAL9.8

MsQuic has a Remote Elevation of Privilege Vulnerability

Published: 4/16/2026Modified: 5/8/2026

Description

### Summary Improper input validation in Microsoft QUIC allows an unauthorized attacker to elevate privileges over a network. ### Details Improper Input Validation Integer Underflow (Wrap or Wraparound) when decoding ACK frame. #### Patches - Fix underflow in ACK frame parsing - 1e6e999b ### Impact An attacker who successfully exploited this vulnerability could gain elevated privileges.

Affected packages (2)

NuGet/Microsoft.Native.Quic.MsQuic.OpenSSL>= 2.5.0-ci.532574, < 2.5.7
NuGet/Microsoft.Native.Quic.MsQuic.Schannel>= 2.5.0-ci.532574, < 2.5.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

PATCHhttps://github.com/microsoft/msquic
WEBhttps://github.com/microsoft/msquic/commit/1e6e999b199430effeefee3d85baa0c9dd35ad5e
WEBhttps://github.com/microsoft/msquic/security/advisories/GHSA-gvvw-8j96-8g5r