CVE-2026-50458: Install KB5101650 to Fix Windows 11 Privilege Escalation

CVE-2026-50458 is a high-severity local privilege-escalation vulnerability in the Microsoft Brokering File System, fixed for Windows 11 versions 24H2 and 25H2 and Windows Server 2025 in Microsoft’s July 14, 2026 security updates. An authenticated attacker who already has low-privilege access could exploit the flaw without user interaction and potentially take complete control of the affected system.
Detailed in Microsoft’s Security Update Guide and subsequently recorded by the National Vulnerability Database, the vulnerability carries a CVSS 3.1 base score of 7.8 out of 10. Microsoft describes the underlying problem as a use-after-free memory error, while the CVE record also associates it with improper synchronization of a shared resource—a race condition that can leave Windows operating on memory after it has been released.
The immediate action is straightforward: Windows 11 administrators should deploy KB5101650, while Windows Server 2025 systems require KB5099536. Windows 11 version 26H1 devices at build 28000.2269 or later are already outside the affected build range documented in the CVE record.

Cybersecurity infographic showing a Windows file-system vulnerability causing local privilege escalation despite advanced protections.A Local Foothold Can Become Full System Control​

CVE-2026-50458 is not a drive-by vulnerability and cannot be attacked directly over the network according to Microsoft’s published CVSS vector. The attacker must first be able to run code locally using an authorized, low-privilege account.
That requirement lowers the immediate exposure compared with an unauthenticated remote-code-execution flaw, but it does not make the vulnerability harmless. Local privilege escalation is frequently the second stage of an intrusion: phishing, a malicious document, stolen credentials, or a vulnerable application gets the attacker onto a machine, and an elevation flaw then provides the administrative authority needed to disable defenses, access protected data, or establish persistence.
Microsoft’s vector rates the attack as local, low complexity, requiring low privileges, and requiring no user interaction. Successful exploitation could result in high impact to confidentiality, integrity, and availability, with the scope remaining within the compromised Windows security boundary.
In practical terms, the attacker does not need another employee to click a prompt after the initial foothold has been established. The vulnerable Brokering File System component becomes the route from restricted execution to elevated control.
The affected configurations documented by Microsoft are:
  • Windows 11 version 24H2 on x64 and Arm64 systems before build 26100.8875.
  • Windows 11 version 25H2 on x64 and Arm64 systems before build 26200.8875.
  • Windows 11 version 26H1 on x64 and Arm64 systems before build 28000.2269.
  • Windows Server 2025, including Server Core installations, before build 26100.33158.
Older Windows releases are not listed in the affected-product data published with this CVE. Administrators should not extrapolate from the component name alone and assume that every Windows version containing file-system brokering code is vulnerable.

The Memory Error Explains the High Impact​

A use-after-free flaw occurs when software releases an area of memory but later continues to reference it. If an attacker can influence what occupies that memory before the stale reference is used again, the program may process attacker-controlled data as though it were still a legitimate internal object.
The additional CWE-362 classification points to concurrent execution and inadequate synchronization. That suggests the vulnerable state may be reached by manipulating the timing of multiple operations, causing one path to release an object while another path still expects it to exist.
Microsoft has not published exploit code, a proof of concept, or the exact Brokering File System call sequence required to trigger CVE-2026-50458. The public record therefore confirms the vulnerability’s existence and broad root cause without handing defenders—or attackers—a complete technical walkthrough.
That distinction matters when interpreting vulnerability-confidence metrics. Confidence in the existence of CVE-2026-50458 is high because Microsoft, the assigning CVE Numbering Authority and vendor responsible for Windows, has acknowledged and patched it. Confidence in detailed exploitation mechanics is lower because the available advisory does not expose the vulnerable function, memory layout, or reliable trigger conditions.
The National Vulnerability Database remained marked as “Awaiting Enrichment” on July 15. Its entry reproduces Microsoft’s description and CVSS score but had not yet added an independent NIST severity assessment or broader platform analysis.
CISA’s initial SSVC data recorded no known exploitation and classified the flaw as non-automatable, while assigning it total technical impact. That combination describes a vulnerability that is highly consequential after successful exploitation but is not presently known to support a simple, scalable attack campaign.

July’s Cumulative Updates Draw the Security Boundary​

For Windows 11 versions 24H2 and 25H2, the fix arrives in KB5101650, released on July 14. The cumulative update advances version 24H2 to OS build 26100.8875 and version 25H2 to build 26200.8875.
Microsoft distributes KB5101650 through Windows Update, Windows Update for Business, Microsoft Update Catalog, and Windows Server Update Services. Because it is cumulative, organizations do not need a separate CVE-specific package; installing the July update brings the Brokering File System fix alongside the month’s other security and quality changes.
Windows Server 2025 receives the correction through KB5099536, which advances the operating system to build 26100.33158. The same build threshold applies to Server Core, making Core deployments just as relevant to the patch inventory as systems with the Desktop Experience.
Windows 11 version 26H1 is the unusual entry. Microsoft’s affected-version data identifies builds earlier than 28000.2269, but build 28000.2269 was already delivered in June through KB5095051. Organizations running 26H1 should still confirm their build rather than relying on the feature-version label, particularly for newly provisioned devices or offline images that may not have received current cumulative updates.
Administrators can check the deployed build with winver, the Settings app under System and About, or their endpoint-management inventory. PowerShell-based fleet checks can retrieve the OS build from CIM or registry data, though update compliance platforms should remain the primary source for managed environments.

Patch Priority Depends on Who Can Log On​

CVE-2026-50458 does not justify the same emergency response as a remotely exploitable, actively abused zero-day. Microsoft’s own scoring shows that an attacker needs local execution and an existing low-privilege identity, and no public exploitation was recorded when the advisory appeared.
It should nevertheless remain inside the normal Patch Tuesday deployment window rather than being deferred indefinitely. Multi-user servers, virtual desktop infrastructure, developer workstations, help-desk machines, and endpoints that routinely process untrusted files face greater risk because they offer more opportunities for an attacker to obtain the initial foothold required by the exploit chain.
Server Core does not remove the vulnerable component from scope. Nor do application allowlisting, Microsoft Defender, or least-privilege policies replace the update: those controls can make the first stage harder, but the CVE specifically targets the boundary meant to keep a restricted account restricted.
Organizations delaying KB5101650 on affected Dell systems should also note Microsoft’s separate compatibility hold affecting a limited number of Dell devices with Intel processors. Microsoft says the incompatibility can cause unexpected shutdowns, poor performance, increased heat, and battery drain, and it is temporarily withholding the update from affected models while working with Dell. That safeguard complicates deployment but does not erase the underlying security exposure; administrators should track Microsoft’s release-health guidance and install the corrected update as soon as the device block is lifted.
For the remaining Windows 11 and Windows Server 2025 estate, the measurable target is clear: build 26100.8875 or 26200.8875 on supported Windows 11 releases, build 28000.2269 or later on Windows 11 26H1, and build 26100.33158 on Windows Server 2025. Any affected system below those thresholds retains a confirmed path by which a compromised local account could potentially become full system control.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top