CVE-2026-50390 is a Windows Kernel elevation-of-privilege vulnerability that can give a locally authenticated attacker high-level control over an affected PC or server. Microsoft fixed the flaw in its July 14, 2026 security updates, and administrators should treat the patch as part of the required July deployment rather than waiting for public exploit code.
Detailed in Microsoft’s Security Update Guide, the vulnerability is rated Important with a CVSS 3.1 base score of 7.0. It affects supported Windows 11 releases, multiple Windows 10 servicing branches, and Windows Server versions extending from Windows Server 2012 through Windows Server 2025.
Microsoft had not identified CVE-2026-50390 as publicly disclosed or under active exploitation when the advisory was published. However, the company assesses exploitation as “more likely,” according to the July analysis compiled by Tenable, placing it among the Windows kernel bugs that deserve attention even though it is not a zero-day.
Microsoft describes CVE-2026-50390 as an “access of resource using incompatible type” vulnerability, more commonly called type confusion. The weakness is classified as CWE-843 and occurs when software accesses an object or resource as though it were a different, incompatible type.
That distinction matters inside the Windows kernel, where a mistaken interpretation of an object can undermine assumptions about its structure, size, contents, or permitted operations. Under the right conditions, an attacker may be able to manipulate the resulting behavior and move from an ordinary account into a much more powerful security context.
The CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access and an existing low-privileged account, involves high attack complexity, and does not require another user to click a link or open a file. A successful attack could have a high impact on confidentiality, integrity, and availability.
That combination explains why the numerical score stops at 7.0 despite the potentially severe outcome. CVE-2026-50390 is not a vulnerability that an unauthenticated attacker can directly trigger across the internet, but it can become the second stage of a broader intrusion.
An attacker might first obtain a standard account through stolen credentials, malicious software, an exposed service, or another vulnerability. A reliable CVE-2026-50390 exploit could then provide the privilege increase needed to disable security tooling, access protected data, alter system configuration, create persistent accounts, or interfere with recovery controls.
CISA’s initial enrichment recorded no known exploitation and characterized the flaw as not readily automatable, while also assigning it a “total” technical-impact assessment. Those details are not contradictory: the exploitation path may be technically demanding, but the consequences can be extensive if an attacker succeeds.
Server exposure includes Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations are included where applicable, so removing the desktop experience does not eliminate the underlying kernel flaw.
Microsoft’s published fixed-build boundaries include:
Administrators should therefore verify both the OS build and the device’s servicing eligibility. A machine that reports “up to date” while sitting on an unsupported Windows release may not have received the security correction at all.
That lack of technical detail is useful to attackers only up to a point. Microsoft’s acknowledgement confirms that the vulnerability exists, identifies the weakness class, establishes the affected builds, and ships corrected binaries. Researchers can compare pre-update and post-update kernel components to locate the changed code, a process commonly called patch diffing.
This is why Microsoft’s “exploitation more likely” assessment deserves more operational weight than the absence of attacks on publication day. The assessment does not mean exploitation is imminent or guaranteed, but it signals that the flaw has characteristics Microsoft believes could make practical exploitation attractive.
Zero Day Initiative’s July 2026 review listed CVE-2026-50390 among a large group of Windows kernel elevation flaws addressed in the same release. Tenable counted 20 kernel elevation-of-privilege CVEs for the month and identified six, including CVE-2026-50390, as more likely to be exploited.
For enterprise defenders, the relevant distinction is between initial access and privilege escalation. Network firewalls and exposed-service inventories offer little direct protection against a local kernel flaw once hostile code is already executing on an endpoint. Application control, least-privilege policies, credential protection, endpoint detection, and rapid patching remain the more relevant layers.
IT teams should confirm deployment through build-number reporting rather than relying solely on an update-management console’s success status. Windows Update for Business, Microsoft Intune, Windows Server Update Services, Configuration Manager, and third-party patch platforms can report an update as installed even while a pending restart leaves the active kernel unchanged.
Priority should go to shared administrative systems, remote-access hosts, developer workstations, jump servers, virtual desktop infrastructure, and machines on which standard users can execute untrusted code. Multi-user servers are especially relevant because a local privilege-escalation flaw can turn one compromised low-privileged session into a system-wide incident.
Organizations using staged deployment rings should still perform their normal compatibility validation, particularly because the July 2026 cumulative updates contain far more than this single kernel fix. The month’s unusually large security release also addresses critical vulnerabilities in components including Hyper-V, DHCP Server, Windows Media, Message Queuing, and Secure Kernel Mode.
The appropriate balance is a short validation window followed by broad deployment—not an indefinite pause based on CVE-2026-50390 lacking known exploitation. Once a device reaches the corrected build and completes its restart, the kernel fix becomes active; until then, an authenticated attacker who gains local code execution retains a potential route toward full machine compromise.
Detailed in Microsoft’s Security Update Guide, the vulnerability is rated Important with a CVSS 3.1 base score of 7.0. It affects supported Windows 11 releases, multiple Windows 10 servicing branches, and Windows Server versions extending from Windows Server 2012 through Windows Server 2025.
Microsoft had not identified CVE-2026-50390 as publicly disclosed or under active exploitation when the advisory was published. However, the company assesses exploitation as “more likely,” according to the July analysis compiled by Tenable, placing it among the Windows kernel bugs that deserve attention even though it is not a zero-day.
Type Confusion Opens a Route Into the Kernel
Microsoft describes CVE-2026-50390 as an “access of resource using incompatible type” vulnerability, more commonly called type confusion. The weakness is classified as CWE-843 and occurs when software accesses an object or resource as though it were a different, incompatible type.That distinction matters inside the Windows kernel, where a mistaken interpretation of an object can undermine assumptions about its structure, size, contents, or permitted operations. Under the right conditions, an attacker may be able to manipulate the resulting behavior and move from an ordinary account into a much more powerful security context.
The CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access and an existing low-privileged account, involves high attack complexity, and does not require another user to click a link or open a file. A successful attack could have a high impact on confidentiality, integrity, and availability.
That combination explains why the numerical score stops at 7.0 despite the potentially severe outcome. CVE-2026-50390 is not a vulnerability that an unauthenticated attacker can directly trigger across the internet, but it can become the second stage of a broader intrusion.
An attacker might first obtain a standard account through stolen credentials, malicious software, an exposed service, or another vulnerability. A reliable CVE-2026-50390 exploit could then provide the privilege increase needed to disable security tooling, access protected data, alter system configuration, create persistent accounts, or interfere with recovery controls.
CISA’s initial enrichment recorded no known exploitation and characterized the flaw as not readily automatable, while also assigning it a “total” technical-impact assessment. Those details are not contradictory: the exploitation path may be technically demanding, but the consequences can be extensive if an attacker succeeds.
The Affected Windows Footprint Is Broad
The CVE record covers both current Windows releases and older editions still receiving security servicing through enterprise, embedded, or extended-support channels. The affected client platforms include Windows 11 versions 24H2, 25H2, and 26H1, along with Windows 10 versions 1607, 1809, 21H2, and 22H2.Server exposure includes Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations are included where applicable, so removing the desktop experience does not eliminate the underlying kernel flaw.
Microsoft’s published fixed-build boundaries include:
- Windows 11 24H2 and 25H2 systems must reach build 26100.8875 or 26200.8875, respectively.
- Windows 11 26H1 systems must reach build 28000.2269 or later.
- Windows 10 22H2 and 21H2 systems must reach builds 19045.7548 and 19044.7548, respectively.
- Windows 10 version 1809 and Windows Server 2019 must reach build 17763.9020.
- Windows 10 version 1607 and Windows Server 2016 must reach build 14393.9339.
- Windows Server 2022 must reach build 20348.5386.
- Windows Server 2025 must reach build 26100.33158.
Administrators should therefore verify both the OS build and the device’s servicing eligibility. A machine that reports “up to date” while sitting on an unsupported Windows release may not have received the security correction at all.
High Complexity Is Not a Reason to Defer
CVE-2026-50390’s “high” attack-complexity rating indicates that exploitation depends on conditions beyond simply running an executable. Microsoft has not publicly documented those conditions, the vulnerable kernel path, or a proof-of-concept technique, limiting defenders’ ability to create vulnerability-specific behavioral detections.That lack of technical detail is useful to attackers only up to a point. Microsoft’s acknowledgement confirms that the vulnerability exists, identifies the weakness class, establishes the affected builds, and ships corrected binaries. Researchers can compare pre-update and post-update kernel components to locate the changed code, a process commonly called patch diffing.
This is why Microsoft’s “exploitation more likely” assessment deserves more operational weight than the absence of attacks on publication day. The assessment does not mean exploitation is imminent or guaranteed, but it signals that the flaw has characteristics Microsoft believes could make practical exploitation attractive.
Zero Day Initiative’s July 2026 review listed CVE-2026-50390 among a large group of Windows kernel elevation flaws addressed in the same release. Tenable counted 20 kernel elevation-of-privilege CVEs for the month and identified six, including CVE-2026-50390, as more likely to be exploited.
For enterprise defenders, the relevant distinction is between initial access and privilege escalation. Network firewalls and exposed-service inventories offer little direct protection against a local kernel flaw once hostile code is already executing on an endpoint. Application control, least-privilege policies, credential protection, endpoint detection, and rapid patching remain the more relevant layers.
Deployment Should Follow the July Cumulative Update
Microsoft has not published a separate workaround or configuration mitigation for CVE-2026-50390. The corrective action is to install the applicable July 2026 Windows security update and restart the machine when required.IT teams should confirm deployment through build-number reporting rather than relying solely on an update-management console’s success status. Windows Update for Business, Microsoft Intune, Windows Server Update Services, Configuration Manager, and third-party patch platforms can report an update as installed even while a pending restart leaves the active kernel unchanged.
Priority should go to shared administrative systems, remote-access hosts, developer workstations, jump servers, virtual desktop infrastructure, and machines on which standard users can execute untrusted code. Multi-user servers are especially relevant because a local privilege-escalation flaw can turn one compromised low-privileged session into a system-wide incident.
Organizations using staged deployment rings should still perform their normal compatibility validation, particularly because the July 2026 cumulative updates contain far more than this single kernel fix. The month’s unusually large security release also addresses critical vulnerabilities in components including Hyper-V, DHCP Server, Windows Media, Message Queuing, and Secure Kernel Mode.
The appropriate balance is a short validation window followed by broad deployment—not an indefinite pause based on CVE-2026-50390 lacking known exploitation. Once a device reaches the corrected build and completes its restart, the kernel fix becomes active; until then, an authenticated attacker who gains local code execution retains a potential route toward full machine compromise.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org