CVE-2026-49165 Fix: Patch Windows App Store Info Leak

CVE-2026-49165 affects the Microsoft Windows App Store component across supported Windows client and server releases, allowing an authorized local attacker to disclose information by exploiting an uninitialized resource. Microsoft published the vulnerability on July 14, 2026, with a CVSS 3.1 base score of 7.1 and security updates available through the July Patch Tuesday release.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the flaw is classified as an information disclosure vulnerability and mapped to CWE-908, Use of Uninitialized Resource. That classification typically means software may expose data left in memory or another resource because it was used before being initialized into a predictable, safe state.
The attack is local rather than remotely executable, and the attacker must already be authorized on the target system. That makes CVE-2026-49165 less immediately dangerous than an unauthenticated network flaw, but the broad Windows version coverage means administrators should not dismiss it—especially on shared systems, session hosts, development machines, and servers where lower-privileged users can run code.

Cybersecurity dashboard highlighting CVE-2026-49165 and Windows Patch Tuesday updates across client and server systems.The Store Name Masks an Operating-System Fix​

Despite Microsoft’s “Windows App Store” product label, CVE-2026-49165 is not presented as a simple Microsoft Store application update. The affected-version data spans Windows 10, Windows 11, and multiple Windows Server generations, including Server Core installations.
Affected platforms listed in the CVE record include:
  • Windows 10 Version 1607, Version 1809, Version 21H2, and Version 22H2.
  • Windows 11 Version 24H2, Version 25H2, and Version 26H1.
  • Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025.
  • Server Core installations of Windows Server 2016, 2019, and 2025.
That breadth matters operationally. An administrator should not assume that disabling Microsoft Store access, blocking consumer Store applications through policy, or maintaining a minimal Server Core deployment removes the vulnerable component.
The presence of Server Core in Microsoft’s affected-product data is particularly instructive. Server Core does not provide the normal desktop Store experience, yet Microsoft still identifies it as affected, indicating that the vulnerable functionality resides in Windows components deployed more widely than the visible storefront application.
This is therefore a Windows servicing issue, not a case where every user must open Microsoft Store and select “Get updates.” Endpoint teams should look for the applicable July 2026 operating-system cumulative update and verify the resulting OS build.

Uninitialized Data Can Become a Useful Building Block​

Microsoft’s concise description says an authorized attacker can exploit an uninitialized resource to disclose information locally. The company has not provided enough public technical detail to identify precisely what data may be exposed, which process owns it, or how an attacker would retrieve it.
An uninitialized resource can contain residual information from earlier activity rather than a defined blank value. Depending on where the programming error occurs, that information could range from low-value implementation data to memory addresses, application content, tokens, or other process state. Microsoft has not stated that CVE-2026-49165 exposes any particular category of sensitive information, so those possibilities should not be treated as confirmed impact.
Information disclosure bugs also deserve attention because they can support a larger exploit chain. A memory leak that is not sufficient to compromise Windows by itself may reveal addresses or state that helps an attacker bypass mitigations or make another local vulnerability more reliable.
The 7.1 CVSS score places CVE-2026-49165 above the level many organizations associate with routine low-impact disclosure bugs. At the same time, CVSS is not a direct measure of active threat activity. It describes technical characteristics and potential impact; it does not prove that exploitation has occurred or that working public code exists.
Microsoft’s report-confidence metric is marked Confirmed. In CVSS terminology, that means the vulnerability has been validated with sufficient technical confidence, potentially through detailed reports, reproducible behavior, or vendor confirmation. It should not be misread as confirmation that attackers are exploiting the flaw in the wild.
The material published at release does not establish active exploitation or provide a public proof of concept. In the absence of those indicators, CVE-2026-49165 belongs in the normal July security-update rollout rather than an emergency response based solely on its identifier.

Build Numbers Give Administrators the Fastest Check​

The affected-version boundaries provide concrete remediation targets. Systems below Microsoft’s fixed build for their servicing branch remain exposed, while devices at or above the corrected build have received the relevant code change.
The listed boundaries include build 14393.9339 for Windows 10 Version 1607 and Windows Server 2016, build 17763.9020 for Windows 10 Version 1809 and Windows Server 2019, and build 20348.5386 for Windows Server 2022. Windows 10 Version 21H2 and Version 22H2 move to builds 19044.7548 and 19045.7548 respectively.
For current Windows 11 branches, the relevant corrected levels are build 26100.8875 for Windows 11 24H2 and build 26200.8875 for Windows 11 25H2. Windows Server 2025 uses the server servicing revision 26100.33158 rather than the client’s 26100.8875.
Windows 11 26H1 receives July’s cumulative update as KB5101649, bringing the operating system to build 28000.2525. Microsoft’s support documentation says that package contains the latest security fixes along with quality changes carried forward from the June optional preview.
There is an apparent discrepancy in early structured CVE data for Windows 11 26H1, with one affected-range entry referencing build 28000.2269 while Microsoft’s July cumulative update installs build 28000.2525. Administrators should use the July update’s final installed build as the practical compliance target rather than treating the older June boundary as evidence that a machine is fully patched.
Because cumulative Windows updates supersede earlier packages, organizations ordinarily do not need a standalone CVE-2026-49165 installer. Installing the applicable July 14, 2026 security update—or a later cumulative update that supersedes it—should deliver the fix.

Store Controls Are Not a Substitute for Patching​

Enterprise environments frequently disable the consumer-facing Store while retaining packaged-app infrastructure for Windows components and managed applications. CVE-2026-49165 demonstrates why configuration controls and vulnerability remediation must be tracked separately.
Blocking Store purchases may reduce unwanted software installation, but it does not prove that the underlying Windows App Store code is absent or unreachable. The affected Server Core listings make that distinction especially clear.
Administrators should inventory OS builds through Intune, Configuration Manager, Windows Update for Business reporting, PowerShell, or their existing vulnerability-management platform. Scanners may initially display inconsistent product names because Microsoft calls the component “Windows App Store” while distributing the correction through Windows cumulative updates.
Testing should follow the organization’s usual Patch Tuesday process, with extra attention to systems hosting multiple users or workloads at different trust levels. Remote Desktop Session Hosts, jump servers, build systems, classroom PCs, kiosks with accessible local sessions, and developer workstations create more plausible opportunities for a low-privileged account to interact with local components than a locked-down single-purpose server.
CVE-2026-49165 does not justify panic on the evidence currently available. It does, however, justify checking that July’s cumulative updates reached every supported Windows branch—including Store-disabled endpoints and Server Core machines that might otherwise be overlooked because the vulnerability’s product name sounds consumer-facing.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
  3. Official source: support.microsoft.com
 

Back
Top