Microsoft has fixed CVE-2026-50437, an information-disclosure vulnerability in the Windows DWM Core Library that can allow a locally authenticated attacker to read data outside an intended memory boundary. The flaw affects supported Windows 11, Windows 10, and Windows Server releases, making July 2026 security updates the practical remedy for both endpoints and servers.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is rated Important with a CVSS 3.1 base score of 5.5. The National Vulnerability Database describes the underlying weakness as an out-of-bounds read, tracked as CWE-125, and lists Microsoft as the assigning authority.
This is not a remote-code-execution bug, and the available scoring does not indicate an unauthenticated network attack. It nevertheless matters because the exposed component is part of Windows’ core graphical infrastructure and successful exploitation could disclose information that an attacker should not be able to access.
Microsoft’s CVSS vector is
The resulting security impact is limited to confidentiality. Microsoft assigns no direct integrity or availability impact, meaning CVE-2026-50437 is not documented as a way to modify protected data, crash the system, or immediately obtain administrator privileges.
The confidentiality rating is High, however. An out-of-bounds read occurs when software accesses memory beyond the limits of the buffer or object it was meant to process. Depending on what occupies that adjacent memory, the result can expose fragments of data belonging to Windows or another operation handled by the affected component.
Microsoft’s public description does not identify the exact data that can be recovered, the triggering DWM operation, or the amount of memory exposed. There is also no publicly documented exploit chain showing the flaw combined with a separate privilege-escalation or code-execution vulnerability.
That distinction should shape triage. CVE-2026-50437 is unlikely to be the first step into an organization because an attacker already needs an authorized local foothold. It is more relevant as a post-compromise primitive that could help an intruder gather information for another stage of an attack.
The affected DWM Core Library is therefore not an optional third-party package that administrators can simply remove. Microsoft’s affected-product data spans modern Windows 11 systems, older Windows 10 branches still receiving applicable servicing, and multiple Windows Server generations.
The vulnerable releases and corrected build thresholds published through Microsoft’s CVE data include:
That Server Core coverage is worth noting. Although Server Core omits the conventional full desktop experience, it still includes Windows components and libraries needed by supported roles and management functionality. Administrators should therefore rely on Microsoft’s affected-product matrix rather than assuming a headless or reduced-interface deployment is unaffected by a DWM-labelled vulnerability.
That does not mean every technical detail is public. The record confirms an out-of-bounds read and local information disclosure, but it does not currently provide the vulnerable function, proof-of-concept code, memory layout, or reliable exploitation procedure.
For defenders, this is a useful separation between confidence that the vulnerability exists and depth of public exploit knowledge. Vendor confirmation makes the flaw real and patchable, while the absence of detailed exploitation material limits what can responsibly be said about practical data exposure.
It also means vulnerability scanners may report CVE-2026-50437 using installed build numbers rather than by probing the vulnerable DWM behavior. Security teams should validate remediation through the installed cumulative update and OS build, not by expecting a standalone DWM package or a separate application version.
For managed environments, the appropriate response is to deploy the applicable July 2026 cumulative update through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Microsoft Intune, or the organization’s normal patch-management platform. Administrators should first test the complete cumulative update against graphics-intensive applications, remote-session workloads, virtual desktop infrastructure, and server management tooling rather than trying to isolate only the CVE fix.
After installation and the required restart, teams can verify the corrected OS level with
CVE-2026-50437 does not carry the reach of a wormable network flaw, but its low-complexity local attack path and High confidentiality impact make it relevant on shared workstations, Remote Desktop Session Hosts, developer systems, virtual desktops, and servers where multiple users or services operate. The concrete milestone is straightforward: affected machines should be at or above Microsoft’s July 14, 2026 corrected build numbers, with any exceptions documented rather than left on an indefinite deployment deferral.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is rated Important with a CVSS 3.1 base score of 5.5. The National Vulnerability Database describes the underlying weakness as an out-of-bounds read, tracked as CWE-125, and lists Microsoft as the assigning authority.
This is not a remote-code-execution bug, and the available scoring does not indicate an unauthenticated network attack. It nevertheless matters because the exposed component is part of Windows’ core graphical infrastructure and successful exploitation could disclose information that an attacker should not be able to access.
The Attack Starts After a Windows Login
Microsoft’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In operational terms, exploitation requires local access and low privileges, but it carries low attack complexity and does not require a victim to open a document, click a link, or approve a prompt.The resulting security impact is limited to confidentiality. Microsoft assigns no direct integrity or availability impact, meaning CVE-2026-50437 is not documented as a way to modify protected data, crash the system, or immediately obtain administrator privileges.
The confidentiality rating is High, however. An out-of-bounds read occurs when software accesses memory beyond the limits of the buffer or object it was meant to process. Depending on what occupies that adjacent memory, the result can expose fragments of data belonging to Windows or another operation handled by the affected component.
Microsoft’s public description does not identify the exact data that can be recovered, the triggering DWM operation, or the amount of memory exposed. There is also no publicly documented exploit chain showing the flaw combined with a separate privilege-escalation or code-execution vulnerability.
That distinction should shape triage. CVE-2026-50437 is unlikely to be the first step into an organization because an attacker already needs an authorized local foothold. It is more relevant as a post-compromise primitive that could help an intruder gather information for another stage of an attack.
DWM’s Reach Extends Across Desktop and Server Builds
Desktop Window Manager, commonly associated with thedwm.exe process, composes the graphical Windows desktop. It handles the final presentation of windows and visual surfaces rather than allowing every application to draw directly to the display independently.The affected DWM Core Library is therefore not an optional third-party package that administrators can simply remove. Microsoft’s affected-product data spans modern Windows 11 systems, older Windows 10 branches still receiving applicable servicing, and multiple Windows Server generations.
The vulnerable releases and corrected build thresholds published through Microsoft’s CVE data include:
- Windows 11 version 24H2 systems must be updated to build 26100.8875 or later.
- Windows 11 version 25H2 systems must be updated to build 26200.8875 or later.
- Windows 11 version 26H1 systems must be updated to build 28000.2269 or later.
- Windows 10 version 22H2 systems must be updated to build 19045.7548 or later.
- Windows 10 version 21H2 systems must be updated to build 19044.7548 or later.
- Windows 10 version 1809 and Windows Server 2019 must be updated to build 17763.9020 or later.
- Windows 10 version 1607 and Windows Server 2016 must be updated to build 14393.9339 or later.
- Windows Server 2022 must be updated to build 20348.5386 or later.
- Windows Server 2025 must be updated to build 26100.33158 or later.
That Server Core coverage is worth noting. Although Server Core omits the conventional full desktop experience, it still includes Windows components and libraries needed by supported roles and management functionality. Administrators should therefore rely on Microsoft’s affected-product matrix rather than assuming a headless or reduced-interface deployment is unaffected by a DWM-labelled vulnerability.
A Confirmed Bug With Limited Public Detail
The vulnerability’s existence has a high degree of confidence because Microsoft has acknowledged it, assigned the CVE, supplied the CVSS vector, identified the weakness class, listed affected builds, and released corrected versions. The National Vulnerability Database received the record from Microsoft on July 14 and initially marked it as awaiting NVD enrichment, meaning NIST had not yet added an independent CVSS assessment.That does not mean every technical detail is public. The record confirms an out-of-bounds read and local information disclosure, but it does not currently provide the vulnerable function, proof-of-concept code, memory layout, or reliable exploitation procedure.
For defenders, this is a useful separation between confidence that the vulnerability exists and depth of public exploit knowledge. Vendor confirmation makes the flaw real and patchable, while the absence of detailed exploitation material limits what can responsibly be said about practical data exposure.
It also means vulnerability scanners may report CVE-2026-50437 using installed build numbers rather than by probing the vulnerable DWM behavior. Security teams should validate remediation through the installed cumulative update and OS build, not by expecting a standalone DWM package or a separate application version.
Patch Through the Normal Cumulative Update Pipeline
Microsoft has not documented a configuration workaround that provides the same protection as installing the July update. Disabling visual effects, using a basic theme, endingdwm.exe, or running applications without visible windows should not be treated as mitigation; DWM is an integral Windows component and is normally restarted or protected by the operating system.For managed environments, the appropriate response is to deploy the applicable July 2026 cumulative update through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Microsoft Intune, or the organization’s normal patch-management platform. Administrators should first test the complete cumulative update against graphics-intensive applications, remote-session workloads, virtual desktop infrastructure, and server management tooling rather than trying to isolate only the CVE fix.
After installation and the required restart, teams can verify the corrected OS level with
winver, the Settings app’s Windows Update history, PowerShell, or their endpoint inventory system. Compliance rules should check the revision threshold for each Windows branch because a generic “July update installed” label may be insufficient where preview releases, delayed rings, or superseded packages are present.CVE-2026-50437 does not carry the reach of a wormable network flaw, but its low-complexity local attack path and High confidentiality impact make it relevant on shared workstations, Remote Desktop Session Hosts, developer systems, virtual desktops, and servers where multiple users or services operate. The concrete milestone is straightforward: affected machines should be at or above Microsoft’s July 14, 2026 corrected build numbers, with any exceptions documented rather than left on an indefinite deployment deferral.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: www2.gov.bc.ca