CVE-2026-50333: KB5101650 Fixes Windows Spaceport.sys EoP

Microsoft has patched CVE-2026-50333, an elevation-of-privilege vulnerability in the Windows Spaceport.sys driver that could let an authenticated local attacker gain higher permissions. The fix arrived on July 14, 2026, through the monthly Windows security updates and should be treated as a post-compromise risk rather than a remotely exploitable entry point.
Detailed in Microsoft’s Security Response Center advisory, the flaw is classified as “Important.” Microsoft describes the underlying weakness as missing authentication for a critical function in Spaceport.sys, while the CVE record assigns it a CVSS 3.1 base score of 7.8 High.
The vulnerability affects supported Windows client and server releases, including Windows 11 versions 24H2, 25H2, and 26H1, alongside older Windows 10 and Windows Server installations. Administrators should prioritize the July cumulative updates on multi-user systems, servers, virtual desktop infrastructure, and endpoints where an attacker could already obtain a standard account or execute code with limited privileges.

Cybersecurity graphic showing a Spaceport.sys privilege-escalation vulnerability mitigated by a July 2026 update.Spaceport.sys Turns Limited Access Into a Bigger Problem​

Spaceport.sys is a kernel-mode Windows storage driver associated with Storage Spaces, Microsoft’s software-defined storage technology. Its kernel position makes authorization errors particularly consequential: code crossing an insufficiently protected driver boundary may be able to perform operations unavailable to an ordinary user process.
Microsoft categorizes CVE-2026-50333 under CWE-306, Missing Authentication for Critical Function. That classification indicates the vulnerable function does not adequately verify whether the caller is authorized to use it. Microsoft has not publicly documented the exact driver interface, control code, or sequence of operations required to trigger the flaw.
The published CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access and low-level privileges, but has low attack complexity and does not require another user to click a link, open a document, or approve a prompt.
A successful exploit could have a high impact on confidentiality, integrity, and availability. That may allow an attacker to escape the limits of a compromised standard account, tamper with protected resources, access sensitive information, disable security controls, or establish a more durable foothold.
This is why a local elevation-of-privilege flaw can be an important component of an attack chain even when it cannot be reached directly over the network. Initial access may come from phishing, credential theft, a malicious installer, a browser vulnerability, or exploitation of an exposed service. CVE-2026-50333 would then provide the privilege escalation needed to turn that initial access into broader control of Windows.
Microsoft’s current description says an “authorized attacker” can exploit the vulnerability locally. In this context, authorized does not mean the activity has administrative approval; it means the attacker must already possess credentials or access sufficient to interact with the affected system as a legitimate local security principal.

The Affected Range Reaches Across Windows Generations​

Microsoft’s CVE data identifies affected builds across Windows 10, Windows 11, and supported Windows Server branches. The scope includes both x64 and ARM64 systems where those architectures are offered, with 32-bit systems also listed for certain older Windows 10 releases.
The affected client versions include:
  • Windows 10 version 1607 installations earlier than build 14393.9339.
  • Windows 10 version 1809 installations earlier than build 17763.9020.
  • Windows 10 version 21H2 installations earlier than build 19044.7548.
  • Windows 10 version 22H2 installations earlier than build 19045.7548.
  • Windows 11 version 24H2 installations earlier than build 26100.8875.
  • Windows 11 version 25H2 installations earlier than build 26200.8875.
  • Windows 11 version 26H1 installations earlier than build 28000.2269.
Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are also represented in Microsoft’s affected-product data, including applicable Server Core installations. Organizations running Windows 10 editions past mainstream consumer support should remember that the availability of a fix depends on the edition, servicing channel, and Extended Security Updates entitlement.
For Windows 11 versions 24H2 and 25H2, the July fix is delivered through KB5101650, raising the systems to builds 26100.8875 and 26200.8875 respectively. Microsoft’s cumulative servicing model means administrators do not need to locate and deploy a separate Spaceport.sys package; installing the applicable July 2026 cumulative security update brings in the correction with the rest of that month’s fixes.
Windows 11 26H1 systems need build 28000.2269 or later. Other Windows and Windows Server branches have their own cumulative update packages and target builds, so inventory tools should evaluate the operating-system version and build rather than looking only for KB5101650 across every device.
The broad product list does not necessarily mean every affected computer actively uses a Storage Spaces pool. The vulnerable driver is a Windows component, and Microsoft’s affected-product declaration—not whether an administrator intentionally configured Storage Spaces—should determine patch applicability. Disabling an unused storage feature is not a documented substitute for applying the security update.

Public Evidence Supports the Flaw, Not Active Exploitation​

The National Vulnerability Database received the CVE record from Microsoft on July 14 and had not completed its independent enrichment at publication time. Its entry nevertheless carries Microsoft’s technical description, CWE classification, affected versions, and CVSS vector.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data marks exploitation as “none” and automation as “no,” while assessing the potential technical impact as total. That indicates there was no known exploitation evidence in the available record, not that exploitation is impossible or that defenders can safely defer the fix indefinitely.
No public proof-of-concept code, exploit procedure, or detailed reverse-engineering report was identified in the initial disclosures. Microsoft has also not characterized CVE-2026-50333 as publicly disclosed or under active attack in the information currently available.
That distinction matters when judging urgency. CVE-2026-50333 does not demand the same emergency response as an unauthenticated remote-code-execution zero-day on an internet-facing service. It does, however, deserve prompt remediation because local privilege escalation vulnerabilities are valuable to ransomware operators, penetration testers, information stealers, and other actors that have already landed on a machine.
The confidence language associated with vulnerability metrics can be easy to misread as a direct measure of exploit likelihood. Confidence in the existence and technical characterization of a vulnerability is separate from severity, exposure, and evidence of attacks. Here, Microsoft has acknowledged the flaw and shipped corrected builds, providing strong confirmation that the vulnerability exists even though the low-level mechanics remain undisclosed.

Patch Testing Should Focus on Storage Workloads​

For individual Windows users, the practical action is straightforward: install the July 2026 security update through Windows Update and restart when prompted. Users can confirm their build by running winver and comparing the displayed version with Microsoft’s corrected-build threshold.
Enterprise administrators should use Windows Update for Business, Windows Server Update Services, Microsoft Intune, Configuration Manager, or their normal patch-management platform to deploy the applicable cumulative update. Vulnerability scanners should verify the resulting OS build or patched Spaceport.sys version rather than relying solely on an update installation status that may not reflect a successful reboot.
Testing deserves particular attention on machines that use Storage Spaces, Storage Spaces Direct, clustered storage, Hyper-V, or storage-management software that interacts with Windows kernel storage components. There is no public indication that Microsoft’s correction causes storage regressions, but those systems offer the most relevant validation targets before a broad production rollout.
Organizations unable to install the update immediately should reduce opportunities for local code execution and credential misuse. That includes limiting interactive logons to servers, removing unnecessary local accounts, enforcing least privilege, monitoring unexpected driver access, and investigating processes that attempt to obtain SYSTEM-level execution after running under a standard account.
These measures only constrain the attack path; they do not repair the missing authorization check. Microsoft has not published a registry change, Group Policy setting, or supported manual mitigation that provides equivalent protection.
CVE-2026-50333 is therefore a conventional but significant Patch Tuesday issue: it needs an attacker to get onto the Windows system first, yet it may provide the permissions needed to take control once that boundary has been crossed. The concrete remediation milestone is the July 14, 2026 cumulative update and its corresponding fixed build, with administrators now responsible for ensuring that Spaceport.sys is no longer left at a vulnerable version.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top