CVE-2026-50435 Fixed in Windows July 14, 2026 Updates

CVE-2026-50435, a Windows Overlay Filter privilege-escalation flaw rated 7.8 out of 10, was fixed in Microsoft’s July 14, 2026 security updates. The vulnerability requires an attacker to have local access and low-level privileges, but successful exploitation could provide control equivalent to a fully compromised Windows system.
Microsoft confirmed the issue in its Security Update Guide, describing it as a buffer over-read in the Windows Overlay Filter. The National Vulnerability Database has received Microsoft’s CVE record but was still awaiting its own enrichment analysis on July 15.
Administrators should deploy the July cumulative updates rather than treat the absence of remote exploitation as a reason to defer remediation. CVE-2026-50435 is a post-compromise escalation path: it is most dangerous when paired with phishing, malicious downloads, credential theft, or another vulnerability that gives an attacker an initial foothold.

Cybersecurity dashboard showing a July 2026 Windows security update protecting systems from threats.A Local Bug With System-Wide Consequences​

Microsoft assigned CVE-2026-50435 a CVSS 3.1 score of 7.8 and an Important severity rating. Its vector indicates that an attacker must already be able to execute code locally with limited privileges, but exploitation does not require user interaction or unusually complex conditions.
The vulnerability can affect confidentiality, integrity, and availability at the highest level represented by Microsoft’s CVSS assessment. In practical terms, an attacker who successfully triggers it may be able to escape the restrictions of an ordinary account, access protected information, alter system resources, disable defenses, or establish stronger persistence.
That does not make CVE-2026-50435 remotely exploitable by itself. An unauthenticated attacker cannot simply target a vulnerable PC over the network using this flaw. Instead, it can serve as the second stage in an attack chain after malicious code has reached the machine through an application vulnerability, compromised account, weaponized document, or improperly secured remote-management service.
This distinction matters for prioritization, but not because the bug is harmless. Privilege-escalation vulnerabilities are routinely useful to attackers because modern Windows protections attempt to confine untrusted processes and standard users. A reliable path from limited execution to elevated rights can turn an initially contained incident into a complete endpoint compromise.
Microsoft’s published vector specifies low attack complexity, low privileges required, no user interaction, and an unchanged security scope. The “unchanged” scope means exploitation affects resources governed by the same Windows security authority rather than crossing into an independently controlled security boundary. It does not mean that the resulting access is limited or inconsequential.

The Fault Sits in Memory Handling​

The technical description identifies a buffer over-read, categorized as CWE-126. This class of defect occurs when software reads beyond the intended boundary of a memory buffer, potentially exposing adjacent data or causing processing based on unintended memory contents.
Microsoft also associated the vulnerability with CWE-190, integer overflow or wraparound. That pairing suggests that an arithmetic operation involved in calculating a size, offset, or boundary may produce an incorrect value, which then contributes to the out-of-bounds read. Microsoft has not published enough implementation detail to establish the exact vulnerable code path or provide a reliable exploit walkthrough.
The available information therefore supports high confidence that the vulnerability exists: Microsoft, acting as the CVE Numbering Authority, has acknowledged the bug, assigned affected releases, produced a severity assessment, and shipped corrections. Confidence in the deeper technical mechanics is more limited because no detailed root-cause analysis, proof of concept, or independent researcher report was publicly attached to the advisory at publication time.
That difference is important when interpreting vulnerability intelligence metrics. The existence and impact of CVE-2026-50435 are vendor-confirmed, while details that would help defenders create behavior-based detections—or attackers reproduce the flaw—remain sparse. Patch deployment is consequently a more dependable control than attempting to detect exploitation from the public description alone.
Microsoft did not identify the vulnerability as publicly disclosed or under active exploitation when the July updates were released. The SANS Internet Storm Center’s Patch Tuesday tracking likewise listed neither public disclosure nor known exploitation for the CVE. Those assessments can change if exploit code or attack telemetry emerges.

Supported and Extended-Support Windows Releases Are Exposed​

Microsoft’s affected-product record spans Windows 10, Windows 11, and several Windows Server generations. Both x64 and Arm64 Windows 11 devices are included, while some older Windows 10 releases also list 32-bit systems.
Affected releases include:
  • Windows 11 versions 24H2 and 25H2 are vulnerable below OS build 26100.8875 and 26200.8875, respectively.
  • Windows 11 version 26H1 is affected below build 28000.2269.
  • Windows 10 versions 21H2 and 22H2 are affected below builds 19044.7548 and 19045.7548.
  • Windows 10 version 1809 and Windows Server 2019 are affected below build 17763.9020.
  • Windows 10 version 1607 and Windows Server 2016 are affected below build 14393.9339.
  • Windows Server 2022 is affected below build 20348.5386.
  • Windows Server 2025 is affected below build 26100.33158.
  • Windows Server 2012 R2 and its Server Core installation are also listed as affected.
The presence of Windows 10 21H2 and 22H2 in the CVE record does not restore ordinary free support for consumer installations. Windows 10 version 22H2 reached the end of standard support on October 14, 2025, so organizations and individuals still using it need an applicable Extended Security Updates entitlement or another supported servicing arrangement to receive current security fixes.
For mainstream Windows 11 clients, KB5101650 raises Windows 11 24H2 to build 26100.8875 and Windows 11 25H2 to build 26200.8875. Microsoft’s support documentation says the cumulative update is available through Windows Update, Windows Update for Business, the Microsoft Update Catalog, and Windows Server Update Services.
Windows 10 21H2 and 22H2 systems receiving the applicable servicing update move to builds 19044.7548 and 19045.7548 through KB5099539. Windows Server 2022 reaches build 20348.5386 with KB5099540. Other supported server releases have their own July packages, so administrators should match the KB to the operating-system release rather than attempting to deploy a client package broadly.

Inventory Matters More Than a CVSS Number​

Endpoint teams should verify successful installation by checking the resulting OS build, not merely whether deployment software reports that a July update was offered. Devices that are offline, pending a restart, held by a safeguard, or failing servicing-stack prerequisites can remain below the corrected build even after an apparently successful deployment wave.
Windows 11 fleets require additional attention because Microsoft temporarily withheld KB5101650 from a limited number of Dell devices using Intel processors. Microsoft said Dell reported an incompatibility that could lead to unexpected shutdowns, reduced performance, increased heat, and battery drain. Administrators responsible for affected hardware should monitor Microsoft and Dell guidance rather than forcing the update without testing.
That safeguard creates an uncomfortable but familiar security tradeoff. A device blocked from receiving KB5101650 may remain exposed to CVE-2026-50435 and the other vulnerabilities addressed in July, but bypassing a compatibility hold could introduce stability or thermal problems. Network restrictions, application control, removal of unnecessary local administrator access, and close endpoint monitoring become more important until a compatible update path is available.
Organizations should also review where standard-user execution is permitted. Application allowlisting through Windows Defender Application Control or AppLocker can make the initial execution stage harder, while Microsoft Defender for Endpoint and comparable EDR products may expose suspicious privilege transitions and post-exploitation behavior. These measures reduce risk but do not repair the faulty Windows component.
The most useful deployment check is concrete: Windows 11 24H2 should report build 26100.8875 or later, Windows 11 25H2 should report 26200.8875 or later, and each server release should meet the fixed build specified in Microsoft’s affected-product table. Anything below the applicable fixed build remains vulnerable, regardless of whether the machine has rebooted recently or displays a generic “up to date” message.
CVE-2026-50435 was not one of July’s publicly disclosed or actively exploited Windows zero-days, but its low-complexity local escalation characteristics make it valuable in a broader intrusion chain. The immediate milestone for IT teams is completion of the July 14 rollout—and a documented exception list for every machine that cannot yet reach its corrected build.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top