CVE-2026-50465 Windows DNS Fix: Install KB5101650

CVE-2026-50465, an Important-rated Windows DNS Client tampering vulnerability, has been fixed for Windows 11 24H2 and 25H2 alongside Windows Server 2025 in Microsoft’s July 14, 2026 security updates. The flaw requires local access and an already authorized, low-privileged attacker, but successful exploitation could let that attacker compromise data integrity and disrupt system availability without requiring user interaction.
Microsoft’s Security Update Guide describes the underlying weakness as improper access control in Windows DNS. The National Vulnerability Database, which is still awaiting its own enrichment of the record, carries Microsoft’s CVSS 3.1 base score of 7.1 and identifies the issue as CWE-284, Improper Access Control.
Microsoft classifies CVE-2026-50465 as Important, not Critical. SANS Internet Storm Center’s July Patch Tuesday inventory reports that the vulnerability was neither publicly disclosed nor known to be exploited when Microsoft published the fix.

Infographic contrasts DNS response tampering before and after a Windows security update, showing compromised versus protected systems.A Local Flaw With System-Level Consequences​

The CVSS vector is unusually useful here because Microsoft has released little public technical detail about the vulnerable operation. CVE-2026-50465 has a local attack vector, low attack complexity, low privileges required, and no user-interaction requirement.
That combination rules out the most alarming interpretation of a DNS vulnerability: this is not documented as an unauthenticated attack delivered remotely through a malicious DNS response. An attacker must first obtain a foothold on the Windows machine and possess some level of authorized access.
The impact metrics nevertheless warrant attention. Microsoft assigns no confidentiality impact but rates both integrity and availability impact as high. In practical terms, the documented risk is not directly about reading passwords, files, or DNS traffic; it is about altering protected state or interfering with the system once local access has been established.
Microsoft calls the result tampering, a broad category that can cover unauthorized modification of configuration, data, or behavior. The company has not publicly explained exactly which DNS Client resource lacks sufficient access control, what an attacker could change, or whether exploitation would persist after a restart.
That absence of detail matters. Administrators should not infer that CVE-2026-50465 necessarily permits arbitrary DNS cache poisoning, redirection of every lookup, or modification of configured DNS servers. Those are plausible concerns whenever DNS integrity is involved, but they have not been confirmed for this specific CVE.
Microsoft does, however, mark the report confidence as confirmed. That means the vendor accepts that the vulnerability exists and has enough technical evidence to issue a security correction, even though those underlying details have not been made public.

The Affected Builds Draw a Narrow Boundary​

The published affected-product list is limited to newer Windows releases. Microsoft identifies Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025, including Server Core installations.
The fixed build thresholds are:
  • Windows 11 24H2 is protected at OS build 26100.8875 or later.
  • Windows 11 25H2 is protected at OS build 26200.8875 or later.
  • Windows 11 26H1 is protected at OS build 28000.2269 or later.
  • Windows Server 2025 is protected at OS build 26100.33158 or later.
For Windows 11 24H2 and 25H2, the relevant July cumulative update is KB5101650, released July 14. It advances the two releases to builds 26100.8875 and 26200.8875 respectively.
Windows Server 2025 receives the fix through KB5099536, which moves the operating system to build 26100.33158. The update applies to both the full desktop installation and Server Core, so organizations should not treat headless servers as outside the vulnerability’s scope.
Windows 11 26H1 is the outlier in the chronology. Microsoft lists builds earlier than 28000.2269 as affected, but build 28000.2269 was already delivered in the June 9, 2026 cumulative update KB5095051. A 26H1 machine that successfully installed that update or a later cumulative package has therefore crossed Microsoft’s fixed-build threshold even though the CVE was not published until July 14.
The CVE record does not list Windows 10, Windows 11 23H2, or older Windows Server editions as affected. Administrators should follow the vendor’s product table rather than assuming every implementation of the Windows DNS Client shares this particular access-control defect.

Patch Priority Depends on Where the Endpoint Sits​

CVE-2026-50465 does not carry the immediate urgency of an Internet-facing remote-code-execution vulnerability or an actively exploited zero-day. Its prerequisites mean an attacker must already be operating locally under an authorized account before attempting the tampering step.
That does not make the flaw inconsequential. Local vulnerabilities are commonly useful after an attacker gains initial access through phishing, stolen credentials, a malicious installer, an exposed service, or another vulnerability. A DNS-related integrity primitive could potentially help an intruder interfere with name-dependent applications or security controls, although Microsoft has not disclosed enough detail to map the exact attack chain.
Windows Server 2025 systems deserve particular scrutiny because DNS resolution underpins Active Directory, application connectivity, management agents, update infrastructure, backup software, and authentication workflows. Even without confidentiality impact, an integrity or availability failure in a foundational networking component can produce disproportionate operational disruption.
Domain controllers running Windows Server 2025 should also be included in the rollout. CVE-2026-50465 concerns the DNS Client rather than the Windows DNS Server role, so a machine does not need to host DNS zones to be affected. A server can be exposed through its client-side resolver while using another server for DNS responses.
For enterprises that stage monthly updates, the sensible order is to patch high-value Windows Server 2025 systems and privileged administrative workstations before moving through the broader Windows 11 population. Internet exposure is not the deciding factor here; the value of the system after an attacker has obtained local access is more relevant.
Security teams should also resist relying on endpoint detection as a substitute for the update. Microsoft has not published indicators of compromise, event-log patterns, registry paths, file names, or other artifacts that would allow defenders to identify exploitation reliably. With the vulnerable resource still unspecified, detection engineering would largely be guesswork.

Build Verification Is the Fastest Compliance Check​

Because Windows cumulative updates supersede earlier packages, administrators do not need a standalone CVE-specific installer. Deploying the applicable July cumulative update—or any later cumulative update containing it—provides the correction.
On an individual machine, winver provides a quick build check. PowerShell inventory, Microsoft Intune, Configuration Manager, Windows Server Update Services, Azure Update Manager, or another endpoint-management platform can be used to confirm the build across a fleet.
The practical minimums are straightforward: 26100.8875 for Windows 11 24H2, 26200.8875 for Windows 11 25H2, 28000.2269 for Windows 11 26H1, and 26100.33158 for Windows Server 2025. Devices below those numbers remain within Microsoft’s affected ranges.
Organizations should validate successful installation rather than relying only on an update approval state. Offline laptops, servers with pending restarts, machines held by safeguard policies, and endpoints reporting stale inventory can all appear covered in a deployment console while continuing to run an older build.
Microsoft has not published a workaround or mitigation specific to CVE-2026-50465. Restricting local account access, applying least privilege, protecting administrator credentials, and monitoring unexpected DNS configuration changes remain useful defense-in-depth measures, but they do not replace the corrected Windows binaries.
The immediate action is therefore uncomplicated: install KB5101650 on supported Windows 11 24H2 and 25H2 devices, install KB5099536 on Windows Server 2025, and verify that Windows 11 26H1 systems are at build 28000.2269 or newer. The unresolved issue is technical visibility—Microsoft has confirmed the vulnerability and shipped the fix, but has not yet disclosed precisely what an authenticated local attacker could tamper with inside the Windows DNS Client.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top