CVE-2026-50312, a use-after-free flaw in the Windows Ancillary Function Driver for WinSock, has been fixed in Microsoft’s July 14, 2026 security updates. The vulnerability allows a locally authenticated attacker to elevate privileges, making the cumulative Windows update the practical remediation for affected PCs and servers.
Microsoft rates the vulnerability Important despite its relatively modest CVSS 3.1 base score of 4.7. Detailed in the Microsoft Security Response Center advisory and corroborated by the National Vulnerability Database, CVE-2026-50312 affects the kernel-mode networking component commonly identified as AFD, or
The advisory lists the flaw as neither publicly disclosed nor exploited in the wild at release. Trend Micro’s Zero Day Initiative also recorded no known public attack or disclosure on July 14, but administrators should not confuse that status with evidence that exploitation is impossible.
The Windows Ancillary Function Driver sits between WinSock applications and lower-level Windows networking facilities. It provides kernel-mode support for socket operations used by an enormous range of applications, services, and Windows components, even though most users never interact with AFD directly.
Microsoft describes CVE-2026-50312 as a use-after-free vulnerability, cataloged under CWE-416. This class of memory-safety error occurs when software continues to access an object after the memory associated with it has been released. Depending on how that memory is reused and how reliably an attacker can influence it, the result can range from a system crash to execution in a more privileged security context.
For this vulnerability, exploitation requires local access and an existing low-privilege account. The CVSS vector is
The high-complexity rating suggests an attacker may need to satisfy timing, memory-layout, or system-state conditions. Those requirements can reduce the reliability of a standalone exploit, but they do not make the flaw irrelevant in a multi-stage intrusion.
For CVE-2026-50312, Report Confidence: Confirmed means Microsoft has validated the vulnerability. It does not mean exploitation has been confirmed, an exploit has been published, or attacks have been observed in customer environments.
Those are separate advisory fields. At publication on July 14, Microsoft and the Zero Day Initiative listed CVE-2026-50312 as not publicly disclosed and not known to be exploited. The vulnerability therefore was not a zero-day under Microsoft’s usual Patch Tuesday terminology.
The distinction matters because vulnerability-management systems sometimes ingest a single field without preserving its context. A dashboard showing “confirmed” beside a CVE can trigger unnecessary alarm if staff interpret it as confirmed exploitation. Conversely, the absence of observed exploitation should not become a reason to defer the update indefinitely.
Microsoft’s CVSS temporal data also identifies an official remediation and confirmed reporting. In operational terms, that means the vulnerability is no longer merely theoretical, while the cumulative security update is the supported fix.
That concentration does not establish a common root cause, nor does it show that the vulnerabilities can be chained together. It does reinforce why defenders pay attention to
Local privilege-escalation vulnerabilities are frequently used after an attacker has gained an initial foothold through phishing, stolen credentials, a malicious document, a browser flaw, or a compromised application. The initial stage may leave the attacker confined to a standard user account or restricted process. A kernel vulnerability can then provide a route toward SYSTEM-level control, security-tool interference, credential access, or persistence.
Microsoft’s published score places CVE-2026-50312 below many of the other vulnerabilities in the unusually large July release. That is a valid prioritization signal, particularly because the flaw requires local access and has high attack complexity. It is not a reason to exclude the patch from normal deployment, especially on shared workstations, Remote Desktop hosts, development machines, and systems where untrusted users can execute code.
Administrators should also avoid improvised mitigations such as disabling WinSock functionality or attempting to remove
Examples from the July release include KB5101650 for Windows 11 versions 24H2 and 25H2, KB5101649 for Windows 11 version 26H1, KB5099539 for eligible Windows 10 21H2 and 22H2 systems, KB5099540 for Windows Server 2022, KB5099536 for Windows Server 2025, and KB5099535 for Windows Server 2016. Exact applicability depends on the operating-system release, architecture, servicing channel, and support status.
For managed environments, the sensible rollout remains familiar:
The immediate security picture is measured rather than catastrophic. CVE-2026-50312 is confirmed, locally exploitable, and embedded in a sensitive kernel networking component, but Microsoft had no evidence of active exploitation when the fix shipped. The remaining task for administrators is concrete: move supported Windows devices onto their July 14, 2026 cumulative builds, validate networking after the restart, and investigate every machine that fails to advance.
Microsoft rates the vulnerability Important despite its relatively modest CVSS 3.1 base score of 4.7. Detailed in the Microsoft Security Response Center advisory and corroborated by the National Vulnerability Database, CVE-2026-50312 affects the kernel-mode networking component commonly identified as AFD, or
afd.sys.The advisory lists the flaw as neither publicly disclosed nor exploited in the wild at release. Trend Micro’s Zero Day Initiative also recorded no known public attack or disclosure on July 14, but administrators should not confuse that status with evidence that exploitation is impossible.
A Local Foothold Can Become a Kernel-Level Problem
The Windows Ancillary Function Driver sits between WinSock applications and lower-level Windows networking facilities. It provides kernel-mode support for socket operations used by an enormous range of applications, services, and Windows components, even though most users never interact with AFD directly.Microsoft describes CVE-2026-50312 as a use-after-free vulnerability, cataloged under CWE-416. This class of memory-safety error occurs when software continues to access an object after the memory associated with it has been released. Depending on how that memory is reused and how reliably an attacker can influence it, the result can range from a system crash to execution in a more privileged security context.
For this vulnerability, exploitation requires local access and an existing low-privilege account. The CVSS vector is
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, which translates into several practical constraints:- An attacker must already be able to run code on the target Windows system.
- Exploitation requires low-level privileges but does not require another user to click or open anything.
- Microsoft considers the attack complexity high.
- The scored impact is limited to availability rather than confidentiality or integrity.
The high-complexity rating suggests an attacker may need to satisfy timing, memory-layout, or system-state conditions. Those requirements can reduce the reliability of a standalone exploit, but they do not make the flaw irrelevant in a multi-stage intrusion.
“Confirmed” Does Not Mean “Under Attack”
The report-confidence language displayed in Microsoft’s Security Update Guide can be easy to misread. Its purpose is to indicate how certain Microsoft is that the vulnerability and its published technical characterization are genuine.For CVE-2026-50312, Report Confidence: Confirmed means Microsoft has validated the vulnerability. It does not mean exploitation has been confirmed, an exploit has been published, or attacks have been observed in customer environments.
Those are separate advisory fields. At publication on July 14, Microsoft and the Zero Day Initiative listed CVE-2026-50312 as not publicly disclosed and not known to be exploited. The vulnerability therefore was not a zero-day under Microsoft’s usual Patch Tuesday terminology.
The distinction matters because vulnerability-management systems sometimes ingest a single field without preserving its context. A dashboard showing “confirmed” beside a CVE can trigger unnecessary alarm if staff interpret it as confirmed exploitation. Conversely, the absence of observed exploitation should not become a reason to defer the update indefinitely.
Microsoft’s CVSS temporal data also identifies an official remediation and confirmed reporting. In operational terms, that means the vulnerability is no longer merely theoretical, while the cumulative security update is the supported fix.
AFD Remains an Attractive Link in Exploit Chains
CVE-2026-50312 is one of several AFD issues addressed in the July 2026 release. The Zero Day Initiative’s review also lists CVE-2026-50462 and CVE-2026-57093 as AFD elevation-of-privilege vulnerabilities, alongside CVE-2026-34346, an AFD information-disclosure flaw.That concentration does not establish a common root cause, nor does it show that the vulnerabilities can be chained together. It does reinforce why defenders pay attention to
afd.sys: it is a broadly available kernel component reachable through ordinary networking interfaces.Local privilege-escalation vulnerabilities are frequently used after an attacker has gained an initial foothold through phishing, stolen credentials, a malicious document, a browser flaw, or a compromised application. The initial stage may leave the attacker confined to a standard user account or restricted process. A kernel vulnerability can then provide a route toward SYSTEM-level control, security-tool interference, credential access, or persistence.
Microsoft’s published score places CVE-2026-50312 below many of the other vulnerabilities in the unusually large July release. That is a valid prioritization signal, particularly because the flaw requires local access and has high attack complexity. It is not a reason to exclude the patch from normal deployment, especially on shared workstations, Remote Desktop hosts, development machines, and systems where untrusted users can execute code.
Administrators should also avoid improvised mitigations such as disabling WinSock functionality or attempting to remove
afd.sys. AFD is a core networking driver, and interfering with it can break applications, management agents, and basic Windows connectivity. Microsoft has not documented a separate configuration workaround for CVE-2026-50312; installing the applicable cumulative update is the appropriate action.July’s Cumulative Updates Carry the Fix
CVE-2026-50312 is serviced through the July 14 cumulative Windows updates rather than a standalone AFD package. The affected range spans Windows client and server editions, including supported Windows 11 releases, Windows 10 installations receiving applicable servicing, and supported Windows Server branches.Examples from the July release include KB5101650 for Windows 11 versions 24H2 and 25H2, KB5101649 for Windows 11 version 26H1, KB5099539 for eligible Windows 10 21H2 and 22H2 systems, KB5099540 for Windows Server 2022, KB5099536 for Windows Server 2025, and KB5099535 for Windows Server 2016. Exact applicability depends on the operating-system release, architecture, servicing channel, and support status.
For managed environments, the sensible rollout remains familiar:
- Confirm that endpoints received the correct July 2026 cumulative update and completed the required restart.
- Test networking-intensive applications, VPN clients, endpoint agents, and server workloads in a representative deployment ring.
- Track installation failures and devices that remain on pre-July operating-system builds.
- Prioritize multi-user systems and endpoints where untrusted or lower-privileged code is routinely executed.
- Use vulnerability scanners to verify the installed build rather than treating an update approval as proof of remediation.
The immediate security picture is measured rather than catastrophic. CVE-2026-50312 is confirmed, locally exploitable, and embedded in a sensitive kernel networking component, but Microsoft had no evidence of active exploitation when the fix shipped. The remaining task for administrators is concrete: move supported Windows devices onto their July 14, 2026 cumulative builds, validate networking after the restart, and investigate every machine that fails to advance.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com