CVE-2026-50322 Fixed in Windows 11 July 14 Updates

Microsoft has fixed CVE-2026-50322, an Important-rated Windows Runtime vulnerability that can let a locally authenticated attacker elevate privileges and gain high-impact control over an affected PC or server. The correction arrived with the July 14, 2026 cumulative updates for Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025.
Detailed in Microsoft’s Security Update Guide and subsequently published by the National Vulnerability Database, the flaw is a race condition involving improperly synchronized shared resources. Microsoft assigns it a CVSS 3.1 base score of 7.0 and says exploitation requires local access, low privileges, and no interaction from another user.
There is no evidence that CVE-2026-50322 was publicly disclosed or exploited before the update became available. That lowers its immediate urgency compared with the actively exploited vulnerabilities in July’s unusually large Patch Tuesday release, but it does not make the flaw harmless. Successful exploitation could compromise confidentiality, integrity, and availability at a high level.

Infographic highlighting a Windows runtime synchronization vulnerability fixed by the July 2026 security update.A Race Condition Opens the Door to Higher Privileges​

Microsoft describes CVE-2026-50322 as concurrent execution using a shared resource without proper synchronization. The weakness is also associated with a use-after-free condition, meaning Windows Runtime code may continue to access memory after the underlying object has been released.
Race-condition vulnerabilities exploit timing rather than a simple, deterministic input. Two operations must occur in a particular order or within a narrow window, often forcing an attacker to repeat an action until the vulnerable state appears. That requirement is reflected in Microsoft’s CVSS vector, which rates attack complexity as high.
The full vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attacker must already be able to run code locally under a low-privileged account, but does not need a victim to open a document, approve a prompt, or click a link.
This is therefore not a drive-by compromise or an unauthenticated network attack. It is a post-compromise elevation path: the kind of vulnerability an attacker may use after obtaining initial access through phishing, stolen credentials, a malicious application, or another security flaw.
Microsoft has not published proof-of-concept code, detailed exploitation instructions, or the exact Windows Runtime interface involved. Administrators should be wary of vulnerability summaries that infer a specific service, API call, or privilege level beyond what Microsoft has confirmed.

July’s Cumulative Updates Carry the Fix​

CVE-2026-50322 affects a comparatively narrow set of current Windows releases rather than every supported branch. Microsoft’s published product data identifies the following vulnerable configurations:
  • Windows 11 24H2 on x64 and Arm64 systems is affected before OS build 26100.8875.
  • Windows 11 25H2 on x64 and Arm64 systems is affected before OS build 26200.8875.
  • Windows 11 26H1 on x64 and Arm64 systems is included in Microsoft’s affected-product data.
  • Windows Server 2025 and its Server Core installation option are affected before OS build 26100.33158.
Windows 10 does not appear in Microsoft’s affected-product list for this CVE. Neither do older Windows Server branches such as Windows Server 2019 or Windows Server 2022. That distinction matters in mixed estates because a vulnerability scanner should not treat every machine running a Windows Runtime component as vulnerable to CVE-2026-50322.
For Windows 11 24H2 and 25H2, the relevant July package is KB5101650, which advances the systems to builds 26100.8875 and 26200.8875 respectively. Windows Server 2025 receives KB5099536 and moves to build 26100.33158, while Windows 11 26H1 receives KB5101649 and advances to build 28000.2525.
Because these are cumulative operating-system updates, there is no separate CVE-2026-50322 hotfix to download. Installing the applicable July update, or a later cumulative update that supersedes it, provides the correction.
Administrators can verify deployment through Settings, PowerShell, Windows Update for Business reports, Microsoft Intune, Configuration Manager, or their normal endpoint-management platform. The decisive check is the installed OS build, not simply whether an update scan reports no pending packages.

The Score Does Not Describe the Whole Attack Chain​

A CVSS score of 7.0 places CVE-2026-50322 in the High scoring band, although Microsoft labels the vulnerability Important under its own severity system. The score is moderated by the need for local access and high attack complexity, not by limited consequences after exploitation.
Microsoft’s vector assigns high impact to confidentiality, integrity, and availability. That indicates a successful attacker could potentially read protected information, change data or system state, and interfere with the machine’s operation. The advisory does not specify whether exploitation reaches SYSTEM, another elevated service identity, or a different privileged context, so claims of guaranteed SYSTEM access would go beyond the disclosed evidence.
For enterprise defenders, the main concern is chaining. A low-privileged foothold may be constrained by application controls, service permissions, credential protections, and endpoint security products. A reliable local privilege-escalation exploit can help an intruder cross those boundaries, disable defenses, access credentials, establish persistence, or move toward administrative control.
The high-complexity rating offers some reassurance because race conditions can be sensitive to timing, processor load, hardware, and operating-system state. It is not a mitigation. Attackers routinely automate repeated attempts, and reliability can improve if researchers later publish technical analysis or proof-of-concept code.
CISA’s initial assessment recorded no known exploitation and classified the vulnerability as not readily automatable, while recognizing the potential technical impact as total. The National Vulnerability Database was still awaiting its own enrichment as of July 15, with the score and vector supplied by Microsoft.

Patch Priority Depends on Who Uses the Machine​

Internet-facing exposure is not the primary factor for this vulnerability because the attack vector is local. Priority should instead rise on machines where untrusted or semi-trusted users can execute code, where multiple users share a system, or where a compromise would expose privileged credentials.
Windows Server 2025 systems used for Remote Desktop Session Host, application publishing, development, build automation, or shared administration deserve particular attention. The same applies to Windows 11 developer workstations, help-desk PCs, privileged access workstations, virtual desktop images, and endpoints running applications that process content from outside the organization.
On ordinary single-user PCs, the update should still follow the normal security cadence. Malware running as the signed-in user could potentially use CVE-2026-50322 to escape that user’s restricted context, making the vulnerability relevant even when the device has only one interactive account.
Organizations that delay cumulative updates for compatibility testing should not treat disabling Windows Runtime as a practical workaround. Microsoft has not documented a mitigation or configuration change that closes this specific race condition. Removing local administrative membership remains valuable, but the vulnerability is explicitly designed to let a low-privileged attacker seek higher rights.
Application control through Windows Defender Application Control or AppLocker, attack-surface reduction rules, endpoint detection, and restrictions on script interpreters can reduce the chance of initial code execution. Those measures provide defense in depth; they do not repair the vulnerable synchronization and memory-handling logic.

Sparse Disclosure Is Not Low Confidence​

The advisory text supplied with CVE-2026-50322 is brief, but the vulnerability’s existence is not speculative. Microsoft is the assigning CVE Numbering Authority, identifies the affected versions, provides the weakness classifications and CVSS vector, and has shipped corrected Windows builds.
What remains limited is public technical depth. Microsoft has confirmed a Windows Runtime race condition and use-after-free behavior, but has not identified the vulnerable function, exposed a trigger sequence, credited a researcher in the currently available record, or published exploitability demonstrations.
That difference matters when reading confidence metrics. Confidence in the vulnerability and its vendor fix is high; confidence in independent claims about the precise exploitation technique should remain lower until Microsoft or external researchers release additional analysis.
For administrators, the operational answer is simpler than the technical mystery: deploy KB5101650, KB5099536, or KB5101649 as appropriate, then confirm the resulting build. The next meaningful change will be whether CVE-2026-50322 gains public exploit code or evidence of real-world abuse—either development would turn this currently unexploited local flaw into a more urgent incident-response concern.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top