ThreatLevelBeta
Planned Fix

CVE-2026-3991

Elevation of Privilege (LPE) in Symantec DLP Windows Endpoint (local)
Loading...

Summary

A local elevation-of-privilege vulnerability in the Symantec Data Loss Prevention (DLP) Windows Endpoint agent allows a low-privileged authenticated user to substitute or influence functionality loaded by the agent (inclusion from an untrusted control sphere). Exploitation is local and requires a valid user account; successful exploitation yields the agent's elevated privileges on the host, allowing access to sensitive data or tampering with DLP enforcement.

Why Planned Fix?

3/6
Authentication required
Deployment unknown
No user interaction needed
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
No
Impact

Local attacker gains elevated (agent/administrative) privileges on the Windows host.

Exploitation Requirements
  • Authentication required
  • Local authenticated (low-privilege) user account
  • Symantec DLP Windows Endpoint agent installed and running with elevated privileg
  • ability to place or modify files/resources in a location the agent will load or
Exploitation Process

A local, authenticated low-privileged user places or modifies resources that the DLP Windows Endpoint agent loads or references from an untrusted control sphere (for example substituting files, libraries, or other loadable components or influencing a search/load path). Because the agent runs with elevated/system privileges, when the agent loads the attacker-controlled component the attacker-controlled code or functionality executes in the agent's privileged context, resulting in privilege escalation to the agent's elevated account and enabling access to protected data or modification of enforcement behavior. Success is verified by observing elevated process context or ability to perform privileged actions (e.g., access protected files or modify agent behavior).

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Broadcom (Symantec)
ProductAffected Versions
Symantec Data Loss Prevention (DLP) Windows EndpointPrior to DLP 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15.
Description

Endpoint agent for Symantec Data Loss Prevention (DLP) that runs on Windows hosts to monitor, detect and prevent transmission of sensitive data and enforce data-loss policies.

Deployment:
|
Protocol:Local
|
Ports:
Affected ComponentThe Symantec DLP Windows Endpoint agent component that loads or references functionality from an untrusted control sphere (allows local replacement/substitution of elements the agent loads), enabling privilege escalation when the agent runs with elevated privileges.

The Symantec DLP Windows Endpoint agent component that loads or references functionality from an untrusted control sphere (allows local replacement/substitution of elements the agent loads), enabling privilege escalation when the agent runs with elevated privileges.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update

Not available

Threat Intelligence
EPSS Score0.0%

Probability of exploitation in the next 30 days

EPSS Percentile2%

Worse than 2% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Symantec Data Loss Prevention Windows Endpoint, prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-829 Inclusion of Functionality from Untrusted Control Sphere
|
NVD:CVE-2026-3991
|
Version From:
|
Version Upto:

Sources

5
SourceArticle
support.broadcom.comhttps://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37306
www.cyber.gc.cahttps://www.cyber.gc.ca/en/alerts-advisories/symantec-security-advisory-av26-304
cyberveille.esante.gouv.frhttps://cyberveille.esante.gouv.fr/alertes/broadcom-cve-2026-3991-2026-03-31
cvefeed.iohttps://cvefeed.io/vuln/detail/CVE-2026-3991
cve.mitre.orghttps://cve.mitre.org/cgi-bin/cvename.cgi?name=2026-3991

Priority History

Planned FixLoading...

Initial analysis