CVE-2026-50339: Fix Windows Push Notifications Data Exposure

CVE-2026-50339 exposes sensitive information through Windows Push Notifications, and Microsoft has shipped fixes across supported Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025 installations. The flaw carries a CVSS 3.1 score of 5.5, placing it in the Medium severity band, but its confidentiality impact is rated High.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability allows an authorized attacker to disclose information locally. That qualification matters: this is not a drive-by remote compromise, and an attacker cannot exploit it anonymously over the network. The attacker must already possess low-level privileges on the targeted Windows device.
The National Vulnerability Database lists CVE-2026-50339 as awaiting NIST enrichment, meaning Microsoft’s record remains the primary technical assessment. The currently published description does not identify the exact data that could be exposed, the vulnerable Windows Push Notifications operation, or a proof-of-concept exploitation method.

Cybersecurity analyst monitors servers, global networks, alerts, and a detected cyber threat.A Local Attack With a High Confidentiality Cost​

Microsoft assigned CVE-2026-50339 the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation requires local access and low privileges, has low complexity, and needs no interaction from another user.
A successful attack affects confidentiality but does not directly permit modification of data or disruption of the system. Microsoft’s scoring therefore records High confidentiality impact, with no integrity or availability impact. The vulnerability is classified as CWE-200, Exposure of Sensitive Information to an Unauthorized Actor.
That combination makes CVE-2026-50339 more relevant in environments where an attacker may already obtain a constrained user session. Shared workstations, remote desktop hosts, virtual desktop infrastructure, application servers permitting interactive logon, and development systems running untrusted code deserve particular attention.
The vulnerability could also become one component in an exploit chain. Information-disclosure bugs are frequently useful because exposed data may help an attacker understand process state, recover information belonging to another security context, or bypass protections needed for a subsequent exploit. Microsoft has not publicly stated that CVE-2026-50339 enables any particular follow-on attack, however, so administrators should not infer capabilities beyond the published assessment.
No user interaction is required once the attacker has the necessary local privileges. That distinguishes it from notification-related attacks that depend on persuading a victim to open a message, click a toast notification, or launch an application.

The Fix Reaches Windows 10 Through Windows 11 26H1​

The affected-product record submitted by Microsoft covers a broad range of Windows client releases. Systems below the listed corrected build thresholds remain affected:
  • Windows 10 Version 1809 is affected before build 17763.9020.
  • Windows 10 Version 21H2 is affected before build 19044.7548.
  • Windows 10 Version 22H2 is affected before build 19045.7548.
  • Windows 11 Version 24H2 is affected before build 26100.8875.
  • Windows 11 Version 25H2 is affected before build 26200.8875.
  • Windows 11 version 26H1 is affected before build 28000.2269.
The Windows 10 entries do not imply that every consumer installation of those versions still receives ordinary security servicing. Some older releases remain supported only in specific editions, servicing channels, or paid extended-security arrangements. Administrators should confirm that each device is enrolled in an applicable support program rather than assuming the existence of a corrected build guarantees access to it.
The affected architectures also differ by release. Microsoft’s record includes 32-bit and x64 systems for Windows 10 Version 1809; 32-bit, ARM64, and x64 systems for Windows 10 versions 21H2 and 22H2; and ARM64 and x64 systems for the listed Windows 11 releases.
For IT teams, the most reliable validation is the installed OS build rather than the marketing version alone. Running winver, checking the Settings app, querying inventory through Microsoft Intune, or collecting build data with PowerShell can reveal whether an endpoint remains below the fixed threshold.
Because Windows cumulative updates supersede earlier packages, organizations do not ordinarily need a standalone CVE-specific installer. Deploying the applicable July 2026 cumulative security update—or a later cumulative update that includes the correction—should move the system beyond the vulnerable build.

Server Core Is Not Exempt​

Microsoft also identifies Windows Server 2019, Windows Server 2022, and Windows Server 2025 as affected. The corrected build boundaries are 17763.9020 for Server 2019, 20348.5386 for Server 2022, and 26100.33158 for Server 2025.
Both the Desktop Experience and Server Core records are included for Windows Server 2019 and Windows Server 2025. That is an important deployment detail because the absence of a conventional desktop shell does not remove the vulnerable Windows Push Notifications component or automatically eliminate exposure.
Server administrators should prioritize machines where less-trusted users or applications can execute code locally. A domain controller or tightly restricted infrastructure server may present a different practical risk from a multi-user Remote Desktop Session Host, but both still require the supported security update.
Disabling visible notification banners should not be treated as a mitigation. The vulnerable component is Windows Push Notifications, while user-facing notification preferences primarily control presentation. Microsoft has not documented changing notification settings as a workaround for CVE-2026-50339.
Likewise, endpoint protection can reduce the likelihood that malicious code reaches a machine, but it does not correct the underlying information-disclosure condition. Installing the cumulative Windows security update is the definitive remediation reflected by Microsoft’s affected-version data.

Sparse Disclosure Limits Defensive Detection​

Microsoft’s initial advisory confirms the vulnerability and provides enough information to rank deployment urgency, but it does not expose the root cause. There is no public explanation yet of whether the issue involves uninitialized memory, an authorization boundary, notification storage, interprocess communication, or another part of the push-notification pipeline.
No public modification date was supplied with the submitted advisory information, and the NVD recorded the new CVE from Microsoft on July 14, 2026. At publication time, NIST had not added an independent CVSS assessment or deeper configuration analysis.
That limited disclosure reduces immediate exploit-development guidance, but it also leaves defenders without a precise behavioral indicator. Security teams cannot build a dependable detection around a named process operation, event-log signature, file access pattern, or API call based solely on the currently public material.
Administrators should therefore handle CVE-2026-50339 primarily as a patch-compliance issue. Inventory systems should flag Windows builds below Microsoft’s corrected thresholds, with extra scrutiny applied to shared endpoints, session hosts, and systems where users can run code outside a tightly controlled application set.
The current record supports confidence that the vulnerability exists because Microsoft has acknowledged it, assigned a CVE and CVSS vector, identified affected products, and released corrected builds. What remains unknown is the nature of the information exposed and whether researchers or attackers will publish technical details after organizations have had time to deploy the July 14 updates.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top