Microsoft has patched CVE-2026-50420, an Important-rated information disclosure vulnerability in Windows HTTP.sys that could let an unauthorized attacker expose sensitive memory data from a local system. The fix arrived on July 14, 2026, through cumulative updates for Windows 11 24H2, 25H2, 26H1, and Windows Server 2025.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the flaw is an out-of-bounds read in the Windows HTTP protocol stack. Microsoft assigned it a CVSS 3.1 base score of 6.2 and classified the report as confirmed, meaning the vulnerability’s existence is established even though Microsoft has published little information about its underlying mechanics.
Administrators should deploy the relevant cumulative update rather than treating this as an internet-facing HTTP.sys emergency. Microsoft’s scoring says exploitation requires local access, but the potential confidentiality impact is high and no privileges or user interaction are required.
HTTP.sys is a kernel-mode Windows component that processes HTTP traffic for services including Internet Information Services and applications built on Windows HTTP Server APIs. That makes any HTTP.sys vulnerability noteworthy, particularly on servers where the driver may sit directly in the request path.
CVE-2026-50420 is different from the familiar class of remotely exploitable HTTP.sys bugs. Microsoft’s CVSS vector is
The vulnerability therefore should not be described as an unauthenticated remote data leak merely because HTTP.sys handles network traffic. Microsoft and NIST explicitly characterize the attack as local. An attacker would first need a way to execute or submit the relevant operation from the affected machine, although that initial foothold would not need elevated Windows privileges.
A successful attack affects confidentiality rather than system integrity or availability. Microsoft has not said exactly what information could be recovered, how much memory might be exposed, or whether repeated exploitation could reveal predictable material such as kernel addresses, tokens, request data, or credentials. Those possibilities should not be assumed without technical evidence.
The published weakness classification, CWE-125, identifies an out-of-bounds read. This type of defect occurs when software reads beyond the intended boundary of a memory buffer, potentially returning adjacent data that the requesting code was never meant to access.
The key combination is local access with no privileges required. Systems that allow untrusted users to run code, host multiple customers, process untrusted workloads, or provide shared remote desktop environments have a different exposure profile from locked-down single-user PCs.
That distinction matters for Windows Server 2025 deployments running web hosting, build services, virtual desktop infrastructure, or application platforms. Even when an information disclosure vulnerability does not provide code execution by itself, leaked memory can sometimes help an attacker prepare a second-stage exploit by exposing data that weakens another security boundary.
Microsoft assessed confidentiality impact as high while assigning no integrity or availability impact. In practical terms, the flaw is not documented as allowing an attacker to modify files, take control of Windows, or crash the system. Its value would be in learning something that should have remained inaccessible.
Microsoft also marked the vulnerability’s report confidence as confirmed. That metric speaks to the credibility of the vulnerability record and available technical validation; it does not mean exploitation has been observed in the wild. The July Patch Tuesday tracking published by the SANS Internet Storm Center listed CVE-2026-50420 as neither publicly disclosed nor exploited at release.
The applicable remediation paths are:
That 26H1 version record creates a minor chronology wrinkle because build 28000.2269 was already distributed with KB5095051 in June. Administrators should avoid trying to interpret the CVE solely from that boundary and deploy the current July update, KB5101649, which Microsoft identifies as the latest security package for 26H1.
No separate workaround or configuration mitigation has been documented. Disabling IIS is not an adequate general response because HTTP.sys is a Windows component used by more than IIS, and Microsoft’s advisory does not establish that removing a particular web-server role eliminates the vulnerable local code path.
Shared systems deserve faster treatment. Remote Desktop Session Hosts, developer workstations running untrusted projects, multi-user servers, testing machines, and Windows hosts that execute third-party workloads offer more realistic paths for an unauthorized local attacker to reach vulnerable functionality.
Server administrators should also account for the broader changes bundled into July’s cumulative updates. Microsoft says KB5099536 introduces networking hardening that enforces registration requirements for third-party Transport Driver Interface transports. Applications using sockets over unregistered third-party TDI transports may stop working after installation, so deployment testing should include legacy networking and security software rather than HTTP workloads alone.
The usual cumulative-update controls remain appropriate: stage the update on representative systems, check application and driver compatibility, deploy within the organization’s security window, and verify the resulting OS build. Vulnerability scanners should ultimately recognize the fixed build rather than relying only on whether HTTP.sys, IIS, or a visible web role appears to be enabled.
CVE-2026-50420 is not a remote HTTP.sys takeover and should not displace actively exploited vulnerabilities at the top of an emergency queue. It is, however, a confirmed kernel-level memory disclosure with no privilege requirement once an attacker is local. Installing KB5101650, KB5101649, or KB5099536 closes that path while giving administrators a concrete build number to verify across July’s Windows estate.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the flaw is an out-of-bounds read in the Windows HTTP protocol stack. Microsoft assigned it a CVSS 3.1 base score of 6.2 and classified the report as confirmed, meaning the vulnerability’s existence is established even though Microsoft has published little information about its underlying mechanics.
Administrators should deploy the relevant cumulative update rather than treating this as an internet-facing HTTP.sys emergency. Microsoft’s scoring says exploitation requires local access, but the potential confidentiality impact is high and no privileges or user interaction are required.
A Local Attack Against a Network-Facing Component
HTTP.sys is a kernel-mode Windows component that processes HTTP traffic for services including Internet Information Services and applications built on Windows HTTP Server APIs. That makes any HTTP.sys vulnerability noteworthy, particularly on servers where the driver may sit directly in the request path.CVE-2026-50420 is different from the familiar class of remotely exploitable HTTP.sys bugs. Microsoft’s CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which identifies a local attack vector with low attack complexity, no required privileges, and no user interaction.The vulnerability therefore should not be described as an unauthenticated remote data leak merely because HTTP.sys handles network traffic. Microsoft and NIST explicitly characterize the attack as local. An attacker would first need a way to execute or submit the relevant operation from the affected machine, although that initial foothold would not need elevated Windows privileges.
A successful attack affects confidentiality rather than system integrity or availability. Microsoft has not said exactly what information could be recovered, how much memory might be exposed, or whether repeated exploitation could reveal predictable material such as kernel addresses, tokens, request data, or credentials. Those possibilities should not be assumed without technical evidence.
The published weakness classification, CWE-125, identifies an out-of-bounds read. This type of defect occurs when software reads beyond the intended boundary of a memory buffer, potentially returning adjacent data that the requesting code was never meant to access.
The Score Hides an Important Privilege Detail
A CVSS score of 6.2 places CVE-2026-50420 in the medium numerical band, while Microsoft lists the vulnerability with an Important severity rating. Neither designation makes it the leading emergency in a large Patch Tuesday deployment, but the individual vector deserves attention.The key combination is local access with no privileges required. Systems that allow untrusted users to run code, host multiple customers, process untrusted workloads, or provide shared remote desktop environments have a different exposure profile from locked-down single-user PCs.
That distinction matters for Windows Server 2025 deployments running web hosting, build services, virtual desktop infrastructure, or application platforms. Even when an information disclosure vulnerability does not provide code execution by itself, leaked memory can sometimes help an attacker prepare a second-stage exploit by exposing data that weakens another security boundary.
Microsoft assessed confidentiality impact as high while assigning no integrity or availability impact. In practical terms, the flaw is not documented as allowing an attacker to modify files, take control of Windows, or crash the system. Its value would be in learning something that should have remained inaccessible.
Microsoft also marked the vulnerability’s report confidence as confirmed. That metric speaks to the credibility of the vulnerability record and available technical validation; it does not mean exploitation has been observed in the wild. The July Patch Tuesday tracking published by the SANS Internet Storm Center listed CVE-2026-50420 as neither publicly disclosed nor exploited at release.
Four Update Paths Close the Exposure
The affected-product list is unusually narrow for a Windows kernel networking flaw. Microsoft identifies supported Windows 11 releases and Windows Server 2025, including Server Core, rather than a long tail of older Windows and Windows Server versions.The applicable remediation paths are:
- Windows 11 24H2 and 25H2 receive KB5101650, advancing systems to OS builds 26100.8875 and 26200.8875, respectively.
- Windows 11 26H1 receives KB5101649, advancing the operating system to build 28000.2525.
- Windows Server 2025 receives KB5099536, advancing the operating system to build 26100.33158.
- Windows Server 2025 Server Core installations receive the same KB5099536 cumulative update.
That 26H1 version record creates a minor chronology wrinkle because build 28000.2269 was already distributed with KB5095051 in June. Administrators should avoid trying to interpret the CVE solely from that boundary and deploy the current July update, KB5101649, which Microsoft identifies as the latest security package for 26H1.
No separate workaround or configuration mitigation has been documented. Disabling IIS is not an adequate general response because HTTP.sys is a Windows component used by more than IIS, and Microsoft’s advisory does not establish that removing a particular web-server role eliminates the vulnerable local code path.
Patch Priority Depends on Who Can Run Code
For conventional managed Windows 11 endpoints, CVE-2026-50420 fits into the normal July cumulative-update cycle. An attacker needs local access, and Microsoft had not identified public disclosure or active exploitation when the update was released.Shared systems deserve faster treatment. Remote Desktop Session Hosts, developer workstations running untrusted projects, multi-user servers, testing machines, and Windows hosts that execute third-party workloads offer more realistic paths for an unauthorized local attacker to reach vulnerable functionality.
Server administrators should also account for the broader changes bundled into July’s cumulative updates. Microsoft says KB5099536 introduces networking hardening that enforces registration requirements for third-party Transport Driver Interface transports. Applications using sockets over unregistered third-party TDI transports may stop working after installation, so deployment testing should include legacy networking and security software rather than HTTP workloads alone.
The usual cumulative-update controls remain appropriate: stage the update on representative systems, check application and driver compatibility, deploy within the organization’s security window, and verify the resulting OS build. Vulnerability scanners should ultimately recognize the fixed build rather than relying only on whether HTTP.sys, IIS, or a visible web role appears to be enabled.
CVE-2026-50420 is not a remote HTTP.sys takeover and should not displace actively exploited vulnerabilities at the top of an emergency queue. It is, however, a confirmed kernel-level memory disclosure with no privilege requirement once an attacker is local. Installing KB5101650, KB5101649, or KB5099536 closes that path while giving administrators a concrete build number to verify across July’s Windows estate.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com