Symantec DLP Windows Endpoint Elevation of Privilege Vulnerability (CVE-2026-3991)
CVE-2026-3991 is an elevation of privilege vulnerability in Symantec Data Loss Prevention (DLP) Windows Endpoint that could allow a local attacker to gain elevated access to resources.
CVE-2026-3991 is an elevation of privilege vulnerability affecting Symantec Data Loss Prevention (DLP) Windows Endpoint versions prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15. A local attacker could exploit this vulnerability to gain elevated privileges on the system. This could allow them to bypass DLP policies and access sensitive data normally protected by the application. The vulnerability was reported on March 30, 2026, and affects Windows endpoints…
Detection coverage 2
Detect Suspicious Symantec DLP Process Creation
highDetects suspicious process creation events related to Symantec DLP EndpointAgent.exe that may indicate exploitation attempts.
Detect Symantec DLP Process with Suspicious Parent
mediumDetects Symantec DLP processes being spawned by unusual parent processes, indicative of potential exploitation.
Detection queries are kept inside the platform. Get full rules →