Microsoft has fixed CVE-2026-50375, an Important-rated elevation-of-privilege vulnerability in the Windows DirectX Graphics Kernel, through the July 14, 2026 security updates. The flaw affects supported Windows 10, Windows 11, and Windows Server releases and could allow an attacker who already has local access to gain greater control over a compromised machine.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-50375 is a heap-based buffer overflow in Windows DirectX. Microsoft assigned it a CVSS 3.1 score of 6.3, while the Zero Day Initiative lists no evidence that the vulnerability was publicly disclosed or exploited before patches became available.
This is not a drive-by compromise or a remotely exploitable DirectX bug. Exploitation requires an attacker to authenticate locally, and Microsoft’s scoring indicates that a successful attack would involve high complexity. Those requirements lower the immediate likelihood of widespread abuse, but they do not make the flaw harmless once an attacker has established an initial foothold.
The DirectX Graphics Kernel is part of Windows’ privileged graphics infrastructure, rather than merely a gaming API used by individual applications. It coordinates graphics workloads and mediates access between user-mode software, display drivers, and kernel resources.
CVE-2026-50375 is classified as CWE-122, a heap-based buffer overflow. In broad terms, this type of defect occurs when software writes more data into a heap allocation than the allocated region can safely contain. The overwrite can corrupt nearby objects or control data, potentially allowing carefully prepared input to alter execution inside a privileged process or kernel component.
Microsoft describes the result as local elevation of privilege. The CVSS vector records low privileges as a prerequisite and requires no user interaction, meaning the attacker must already be able to run code or operate under an authorized account but does not need another user to click a file or approve a prompt.
The score also describes high impacts to integrity and availability, but no direct confidentiality impact. In practice, successful exploitation could reportedly let an attacker modify protected system resources or disrupt the machine. Microsoft has not published exploit code, the vulnerable function, or technical instructions for reproducing the overflow, so the precise post-exploitation privilege level and trigger remain undisclosed.
That absence of detail matters. A confirmed vendor advisory establishes that the vulnerability exists and that Microsoft has shipped a correction, but it does not automatically provide attackers with a ready-made exploit. Reverse engineering the July cumulative updates could eventually expose the relevant code changes, however, particularly because security researchers routinely compare patched and unpatched Windows binaries.
The corrected build thresholds identified in the CVE data include:
For Windows 10 Version 21H2 and 22H2, the July package is KB5099539, which advances the operating systems to builds 19044.7548 and 19045.7548. Windows Server 2022 reaches build 20348.5386 through KB5099540. Because cumulative Windows updates replace earlier fixes, installing a later cumulative update should also include the correction unless Microsoft documents an exception.
Organizations still operating Windows releases under Extended Security Updates must verify both licensing and patch applicability. A machine showing a familiar Windows version number is not necessarily receiving security corrections, especially where consumer support has ended or an enterprise is relying on an ESU entitlement.
The lower score reflects attack prerequisites, not uncertainty over whether the flaw exists. Microsoft is the CVE Numbering Authority for this record, has identified the defect as a heap overflow, and has supplied affected-version boundaries. The National Vulnerability Database was still awaiting its own enrichment shortly after publication, but it had already imported Microsoft’s description, CVSS vector, weakness classification, and product data.
CISA’s initial assessment recorded no known exploitation and characterized the attack as non-automatable. That is consistent with Microsoft’s high-complexity rating and with the lack of a disclosed proof of concept. It is a snapshot, however, rather than a guarantee that exploitation will remain impractical.
For enterprise defenders, the meaningful risk is exploit chaining. A threat actor may first gain limited local execution through phishing, a malicious installer, a browser flaw, stolen credentials, or another remote-code-execution vulnerability. A local privilege-escalation bug can then provide the step needed to disable defenses, alter protected files, establish persistence, or move from an ordinary user context into a more powerful one.
Graphics-kernel flaws also deserve attention on systems that do not look graphics-intensive. Windows servers, virtual desktops, developer workstations, kiosks, and cloud-hosted Windows instances still contain substantial graphics and display infrastructure. The presence of a high-end physical GPU is not a prerequisite for a Windows graphics component to become part of the attack surface.
Because the fix touches the DirectX graphics stack, test rings should include more than basic boot and sign-in checks. Administrators should exercise GPU-accelerated browsers, Microsoft Teams or similar conferencing software, CAD and media applications, Remote Desktop sessions, virtual desktop agents, and systems using vendor-specific Intel, AMD, or NVIDIA display drivers.
Any rendering regression after the cumulative update should be investigated without treating removal of the security patch as the default solution. Updating the display driver, checking Windows release-health notices, and comparing behavior against a clean driver installation are safer first steps than returning a machine to a vulnerable OS build.
Security teams should also review whether unprivileged users can install or execute arbitrary applications on sensitive workstations and servers. Application control through Windows Defender Application Control or AppLocker, least-privilege account policies, and endpoint detection rules for suspicious child processes and privilege transitions can reduce the opportunity to use a local flaw even when patch deployment is delayed.
CVE-2026-50375 was not the most severe item in the July 14 release, and current evidence does not place it among the month’s actively exploited zero-days. Its broad Windows coverage and location in a privileged kernel component nevertheless make it unsuitable for indefinite deferral. The concrete milestone is the patched build number: endpoints below the applicable July 2026 threshold remain exposed until their cumulative update is successfully installed and verified.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-50375 is a heap-based buffer overflow in Windows DirectX. Microsoft assigned it a CVSS 3.1 score of 6.3, while the Zero Day Initiative lists no evidence that the vulnerability was publicly disclosed or exploited before patches became available.
This is not a drive-by compromise or a remotely exploitable DirectX bug. Exploitation requires an attacker to authenticate locally, and Microsoft’s scoring indicates that a successful attack would involve high complexity. Those requirements lower the immediate likelihood of widespread abuse, but they do not make the flaw harmless once an attacker has established an initial foothold.
A Graphics Bug With System-Level Consequences
The DirectX Graphics Kernel is part of Windows’ privileged graphics infrastructure, rather than merely a gaming API used by individual applications. It coordinates graphics workloads and mediates access between user-mode software, display drivers, and kernel resources.CVE-2026-50375 is classified as CWE-122, a heap-based buffer overflow. In broad terms, this type of defect occurs when software writes more data into a heap allocation than the allocated region can safely contain. The overwrite can corrupt nearby objects or control data, potentially allowing carefully prepared input to alter execution inside a privileged process or kernel component.
Microsoft describes the result as local elevation of privilege. The CVSS vector records low privileges as a prerequisite and requires no user interaction, meaning the attacker must already be able to run code or operate under an authorized account but does not need another user to click a file or approve a prompt.
The score also describes high impacts to integrity and availability, but no direct confidentiality impact. In practice, successful exploitation could reportedly let an attacker modify protected system resources or disrupt the machine. Microsoft has not published exploit code, the vulnerable function, or technical instructions for reproducing the overflow, so the precise post-exploitation privilege level and trigger remain undisclosed.
That absence of detail matters. A confirmed vendor advisory establishes that the vulnerability exists and that Microsoft has shipped a correction, but it does not automatically provide attackers with a ready-made exploit. Reverse engineering the July cumulative updates could eventually expose the relevant code changes, however, particularly because security researchers routinely compare patched and unpatched Windows binaries.
Windows 10 Through Windows 11 26H1 Are Affected
Microsoft’s CVE record covers a broad range of client and server builds. The affected versions include Windows 10 Version 1809, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 24H2, Windows 11 Version 25H2, and Windows 11 version 26H1.The corrected build thresholds identified in the CVE data include:
- Windows 10 Version 1809 and Windows Server 2019 are protected at build 17763.9020 or later.
- Windows 10 Version 21H2 is protected at build 19044.7548 or later.
- Windows 10 Version 22H2 is protected at build 19045.7548 or later.
- Windows 11 Version 24H2 is protected at build 26100.8875 or later.
- Windows 11 Version 25H2 is protected at build 26200.8875 or later.
- Windows 11 version 26H1 is protected at build 28000.2269 or later.
- Windows Server 2022 is protected at build 20348.5386 or later.
For Windows 10 Version 21H2 and 22H2, the July package is KB5099539, which advances the operating systems to builds 19044.7548 and 19045.7548. Windows Server 2022 reaches build 20348.5386 through KB5099540. Because cumulative Windows updates replace earlier fixes, installing a later cumulative update should also include the correction unless Microsoft documents an exception.
Organizations still operating Windows releases under Extended Security Updates must verify both licensing and patch applicability. A machine showing a familiar Windows version number is not necessarily receiving security corrections, especially where consumer support has ended or an enterprise is relying on an ESU entitlement.
The CVSS Number Does Not Tell the Whole Deployment Story
At 6.3, CVE-2026-50375 sits below many of the higher-scoring kernel vulnerabilities in the same unusually large July 2026 Patch Tuesday release. BleepingComputer counted hundreds of fixes in the monthly rollout, while the Zero Day Initiative catalogued several other DirectX Graphics Kernel elevation-of-privilege flaws with scores of 7.0 or 7.8.The lower score reflects attack prerequisites, not uncertainty over whether the flaw exists. Microsoft is the CVE Numbering Authority for this record, has identified the defect as a heap overflow, and has supplied affected-version boundaries. The National Vulnerability Database was still awaiting its own enrichment shortly after publication, but it had already imported Microsoft’s description, CVSS vector, weakness classification, and product data.
CISA’s initial assessment recorded no known exploitation and characterized the attack as non-automatable. That is consistent with Microsoft’s high-complexity rating and with the lack of a disclosed proof of concept. It is a snapshot, however, rather than a guarantee that exploitation will remain impractical.
For enterprise defenders, the meaningful risk is exploit chaining. A threat actor may first gain limited local execution through phishing, a malicious installer, a browser flaw, stolen credentials, or another remote-code-execution vulnerability. A local privilege-escalation bug can then provide the step needed to disable defenses, alter protected files, establish persistence, or move from an ordinary user context into a more powerful one.
Graphics-kernel flaws also deserve attention on systems that do not look graphics-intensive. Windows servers, virtual desktops, developer workstations, kiosks, and cloud-hosted Windows instances still contain substantial graphics and display infrastructure. The presence of a high-end physical GPU is not a prerequisite for a Windows graphics component to become part of the attack surface.
Patch Testing Should Focus on Drivers and Rendering Workloads
Microsoft has not published a separate mitigation or registry workaround for CVE-2026-50375. The practical remediation is therefore to install the applicable July 2026 cumulative security update and restart the device as required.Because the fix touches the DirectX graphics stack, test rings should include more than basic boot and sign-in checks. Administrators should exercise GPU-accelerated browsers, Microsoft Teams or similar conferencing software, CAD and media applications, Remote Desktop sessions, virtual desktop agents, and systems using vendor-specific Intel, AMD, or NVIDIA display drivers.
Any rendering regression after the cumulative update should be investigated without treating removal of the security patch as the default solution. Updating the display driver, checking Windows release-health notices, and comparing behavior against a clean driver installation are safer first steps than returning a machine to a vulnerable OS build.
Security teams should also review whether unprivileged users can install or execute arbitrary applications on sensitive workstations and servers. Application control through Windows Defender Application Control or AppLocker, least-privilege account policies, and endpoint detection rules for suspicious child processes and privilege transitions can reduce the opportunity to use a local flaw even when patch deployment is delayed.
CVE-2026-50375 was not the most severe item in the July 14 release, and current evidence does not place it among the month’s actively exploited zero-days. Its broad Windows coverage and location in a privileged kernel component nevertheless make it unsuitable for indefinite deferral. The concrete milestone is the patched build number: endpoints below the applicable July 2026 threshold remain exposed until their cumulative update is successfully installed and verified.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com