CVE-2026-50363: July Updates Fix Windows Privilege Escalation

CVE-2026-50363, a heap-based buffer overflow in Windows Push Notifications, can let an authenticated local attacker elevate privileges on affected Windows 10, Windows 11, and Windows Server systems. Microsoft addressed the flaw in its July 14, 2026 security updates, making deployment of the corresponding cumulative update the primary defensive action.
Detailed in the Microsoft Security Response Center advisory, the vulnerability carries a CVSS 3.1 base score of 7.8 High and is classified as CWE-122, Heap-based Buffer Overflow. The National Vulnerability Database lists Microsoft as the source of the record but, as of July 15, still marks the entry as awaiting NVD enrichment.
This is not a remote, unauthenticated entry point. Exploitation requires an attacker who already has local access and low-level privileges, but the Microsoft-supplied scoring indicates low attack complexity, no user interaction, and potentially high impact to confidentiality, integrity, and availability.

Infographic shows a heap overflow using push notifications for privilege escalation, then a security patch.A Local Foothold Can Become a System Compromise​

Windows Push Notifications provides infrastructure used to deliver notifications to Windows applications and system components. CVE-2026-50363 concerns memory handling inside that infrastructure rather than the content of an ordinary toast notification appearing on the desktop.
Microsoft describes the underlying weakness as a heap-based buffer overflow. Such flaws occur when software writes more data into a heap allocation than the memory region was designed to hold, potentially corrupting nearby data and altering program execution. Microsoft has not publicly documented the vulnerable function, the required notification payload, or a proof-of-concept exploitation sequence.
The CVSS vector is more informative about the practical attack conditions. CVE-2026-50363 is local rather than network-reachable, requires an existing low-privileged account or process, and does not require the victim to click a notification, open a file, or approve a prompt. Attack complexity is rated low, indicating that Microsoft does not expect exploitation to depend on an unusually fragile race, specialized deployment, or other difficult prerequisite.
Successful exploitation could give an attacker substantially more control over the machine. Microsoft’s CVSS assessment assigns high potential impact across confidentiality, integrity, and availability, meaning exploitation could expose protected information, permit unauthorized changes, and disrupt the affected system.
That makes CVE-2026-50363 most relevant during the second stage of an intrusion. An initial-access technique such as credential theft, malicious software, a compromised remote-management session, or exploitation of another application could place an attacker on the endpoint with limited rights. This vulnerability could then provide a route around the restrictions imposed on that account.
Microsoft has not published enough technical detail to establish whether successful exploitation always produces SYSTEM privileges or which security context is ultimately obtained. Administrators should therefore avoid treating the score as proof of one specific privilege level while still planning for the broader risk of a low-privileged process crossing a Windows security boundary.

The Affected Range Spans Old and New Windows Releases​

Microsoft’s CVE record covers a wide collection of client and server platforms. The affected-version data published through the CVE and NVD records includes Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 24H2, Windows 11 Version 25H2, and Windows 11 version 26H1.
Windows Server is also affected, including Windows Server 2012 R2 and later supported server branches identified in Microsoft’s July release. Server Core installations appear in the affected-product data, so the absence of the conventional desktop notification interface should not be treated as evidence that a server is outside the vulnerability’s reach.
The fixed build thresholds identified in the published record include:
  • Windows 10 Version 1607 is affected before build 14393.9339.
  • Windows 10 Version 1809 is affected before build 17763.9020.
  • Windows 10 Version 21H2 is affected before build 19044.7548.
  • Windows 10 Version 22H2 is affected before build 19045.7548.
  • Windows 11 Version 24H2 is affected before build 26100.8875.
  • Windows 11 Version 25H2 is affected before build 26200.8875.
  • Windows 11 version 26H1 is affected before the applicable July servicing level for that branch.
  • Windows Server 2012 R2 is affected before build 9600.23291.
The July packages associated with affected platforms include KB5099535 for Windows Server 2016, KB5099540 for Windows Server 2022, KB5101650 for Windows 11 Versions 24H2 and 25H2, and KB5101649 for one Windows 11 version 26H1 servicing path. Exact KB applicability depends on the Windows edition, architecture, servicing channel, and whether an organization receives Extended Security Updates.
Administrators should use Microsoft’s Security Update Guide, Windows Update for Business reports, WSUS, Microsoft Configuration Manager, Intune, or their endpoint-management platform to match each installed operating-system build to its required July update. Checking only the marketing version—for example, “Windows 11”—is insufficient because the fixed build differs between 24H2, 25H2, and 26H1.

Patch Priority Depends on Who Can Run Code​

CVE-2026-50363 does not carry the same immediate perimeter risk as an unauthenticated remote-code-execution vulnerability in a public-facing service. A firewall rule cannot be bypassed remotely through this flaw alone, and an attacker must first obtain authorization to execute code locally.
That requirement should not push the update indefinitely down the queue. Shared workstations, Windows 365 and Azure Virtual Desktop environments, Remote Desktop Session Hosts, developer systems, jump boxes, and servers accessed by multiple administrative tiers present more opportunities for a low-privileged account to coexist with sensitive processes and credentials.
The absence of user interaction also matters. Once malicious code is running in the required local context, exploitation does not depend on persuading another user to open an attachment or respond to a notification. That makes the flaw potentially suitable for inclusion in an automated post-compromise tool chain if reliable exploit code emerges.
At publication time, the public records examined do not provide a technical proof of concept or detailed exploitation method. NVD has not completed its independent enrichment, and Microsoft’s advisory supplies the confirmed weakness category and attack conditions without exposing the affected code path. That supports high confidence that the vulnerability exists and has been corrected, while leaving exploit reliability and real-world weaponization less certain.

July’s Cumulative Update Is the Control That Matters​

There is no configuration change in the available advisory that offers the same protection as installing the security update. Disabling application notifications, hiding banners, turning on Focus mode, or changing notification privacy settings should not be considered mitigations because those controls affect presentation rather than the underlying Windows Push Notifications code.
IT teams should deploy the July 14 cumulative updates through their normal staged rings, verify that endpoints reach the fixed builds, and investigate machines that repeatedly fail installation. Systems that cannot yet be updated deserve tighter controls on interactive access, application execution, remote administration, and the creation of local accounts.
Security monitoring should also focus on the behavior surrounding privilege escalation rather than waiting for a CVE-specific detection signature. Unexpected service creation, scheduled tasks launched under privileged identities, new local administrators, suspicious token manipulation, and low-privileged processes spawning administrative tools can all reveal the consequences of a successful escalation attempt.
CVE-2026-50363 is ultimately a foothold amplifier: it does not provide the attacker’s first connection, but it may turn limited access into broad control. The concrete milestone for defenders is straightforward—move every affected Windows client and server beyond its vulnerable build threshold and confirm that the July 2026 cumulative update actually installed.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top