CVE-2026-50475 exposes information from Windows kernel memory through a buffer over-read, and Microsoft has shipped the fix across supported Windows 10, Windows 11, and Windows Server releases. The flaw is rated Important with a CVSS 3.1 score of 5.5, but its kernel location makes it relevant to administrators evaluating multi-stage attacks rather than CVSS numbers alone.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability allows a locally authenticated attacker with low privileges to obtain information that should not be accessible. Microsoft assesses exploitation as less likely and says the issue was neither publicly disclosed nor known to be exploited when the updates were released.
CVE-2026-50475 is classified as CWE-126, a buffer over-read. This occurs when software reads beyond the intended boundary of a memory buffer, potentially returning adjacent data left in memory by the operating system or another process.
Microsoft’s CVSS vector is
That combination explains the 5.5 score. CVE-2026-50475 cannot be attacked directly over a network, does not by itself grant SYSTEM privileges, and is not expected to modify files or crash Windows. Its value to an attacker lies in revealing protected information.
Microsoft’s concise description does not identify exactly what can be recovered from kernel memory. Administrators should therefore avoid assuming the leak is limited to harmless diagnostic data or a single address. Until deeper technical analysis appears, the defensible interpretation is that a low-privileged process may be able to extract sensitive kernel-memory contents.
An information disclosure bug is often most useful when combined with another vulnerability. Leaked memory addresses can undermine Address Space Layout Randomization, while other exposed values may help an attacker understand kernel state, locate valuable objects, or refine a separate privilege-escalation exploit. CVE-2026-50475 is not documented as providing that complete chain on its own, but closing information leaks removes one of the building blocks attackers commonly seek.
Report confidence describes the quality of the available evidence. A vulnerability may begin with an uncertain report, later gain corroborating research, and eventually be confirmed by the affected vendor or through reproducible technical work. In this case, Microsoft has acknowledged the Windows kernel flaw and issued corrected software, so the confidence assessment is at its highest level.
That metric is separate from exploitability. At publication, Microsoft’s assessment for CVE-2026-50475 was:
The low attack complexity also deserves attention. An attacker must already be able to run code locally under an authorized account, but Microsoft does not identify additional race conditions, specialized hardware, or user actions needed to trigger the vulnerable behavior. On shared systems, remote desktop hosts, developer workstations, and servers where an initial foothold is a realistic threat, that prerequisite is not especially reassuring.
For current Windows 11 systems, KB5101650 raises Windows 11 24H2 to OS Build 26100.8875 and Windows 11 25H2 to Build 26200.8875. Microsoft’s CVE record treats earlier builds in those servicing branches as vulnerable.
Windows 10 systems receiving Extended Security Updates are covered by KB5099539. The package advances Windows 10 22H2 to Build 19045.7548 and Windows 10 21H2 to Build 19044.7548. Organizations still operating these releases should remember that patch availability now depends on the applicable ESU or long-term servicing entitlement rather than ordinary consumer support.
The server-side fixed-build thresholds include:
Windows 11 26H1 has its own servicing branch. Microsoft’s records identify affected builds below the corrected thresholds in the 28000 series, including systems that had only reached the June 2026 security level. Administrators managing 26H1 devices should verify the installed cumulative update rather than assuming that a recent-looking build is sufficient.
Because Windows cumulative updates supersede earlier packages, users do not need to locate a stand-alone CVE-2026-50475 patch. Installing the applicable July 14 cumulative update—or a later superseding update—delivers the kernel correction alongside the month’s other security fixes.
The kernel disclosure still belongs in the normal security-update window. Its local, low-privilege attack model makes it especially relevant where many users or workloads share the same Windows host. Remote Desktop Session Hosts, jump servers, build machines, virtual desktop infrastructure, and developer systems all present plausible scenarios in which an attacker already has limited execution but wants information needed for the next stage.
Endpoint teams should verify deployment using the installed KB and OS build, not merely the date of the last successful update scan. Windows Update for Business, Microsoft Intune, Configuration Manager, and WSUS reports can show a device as recently contacted while the July cumulative update remains pending, failed, or awaiting a restart.
Testing also matters because the July packages contain changes beyond this CVE. Microsoft notes that updates released on or after July 14 introduce transport-registration hardening that can affect applications relying on unregistered third-party TDI transports. Windows 11 KB5101650 was also temporarily unavailable to a limited set of Dell devices with Intel processors because of a reported compatibility issue involving shutdowns, performance, heat, and battery use.
Those compatibility considerations justify staged deployment, not omission. Pilot the update against kernel-sensitive software such as endpoint security agents, VPN clients, storage filters, backup products, and legacy networking tools, then move patched builds into production once basic stability checks pass.
For individual Windows users, the action is simpler: install the July 2026 cumulative update through Windows Update and complete the restart. For administrators, the measurable endpoint is a fleet in which no supported device remains below its corrected July build threshold. CVE-2026-50475 is not an emergency zero-day, but every unpatched kernel information leak leaves an avoidable advantage available to an attacker who has already crossed the first boundary.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability allows a locally authenticated attacker with low privileges to obtain information that should not be accessible. Microsoft assesses exploitation as less likely and says the issue was neither publicly disclosed nor known to be exploited when the updates were released.
A Local Leak With High Confidentiality Impact
CVE-2026-50475 is classified as CWE-126, a buffer over-read. This occurs when software reads beyond the intended boundary of a memory buffer, potentially returning adjacent data left in memory by the operating system or another process.Microsoft’s CVSS vector is
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation requires local access and low-level privileges, but it does not require user interaction or unusual operating conditions. A successful attack can have a high confidentiality impact, while Microsoft attributes no direct integrity or availability impact to the flaw.That combination explains the 5.5 score. CVE-2026-50475 cannot be attacked directly over a network, does not by itself grant SYSTEM privileges, and is not expected to modify files or crash Windows. Its value to an attacker lies in revealing protected information.
Microsoft’s concise description does not identify exactly what can be recovered from kernel memory. Administrators should therefore avoid assuming the leak is limited to harmless diagnostic data or a single address. Until deeper technical analysis appears, the defensible interpretation is that a low-privileged process may be able to extract sensitive kernel-memory contents.
An information disclosure bug is often most useful when combined with another vulnerability. Leaked memory addresses can undermine Address Space Layout Randomization, while other exposed values may help an attacker understand kernel state, locate valuable objects, or refine a separate privilege-escalation exploit. CVE-2026-50475 is not documented as providing that complete chain on its own, but closing information leaks removes one of the building blocks attackers commonly seek.
“Confirmed” Describes Evidence, Not Active Exploitation
The report-confidence text displayed in Microsoft’s advisory can be easy to misread. A Confirmed assessment means Microsoft considers the vulnerability’s existence and technical basis sufficiently established, not that attackers have confirmed exploitation in the wild.Report confidence describes the quality of the available evidence. A vulnerability may begin with an uncertain report, later gain corroborating research, and eventually be confirmed by the affected vendor or through reproducible technical work. In this case, Microsoft has acknowledged the Windows kernel flaw and issued corrected software, so the confidence assessment is at its highest level.
That metric is separate from exploitability. At publication, Microsoft’s assessment for CVE-2026-50475 was:
- The vulnerability was not publicly disclosed.
- Microsoft had not observed active exploitation.
- Microsoft considered future exploitation less likely.
- An official security update was available.
The low attack complexity also deserves attention. An attacker must already be able to run code locally under an authorized account, but Microsoft does not identify additional race conditions, specialized hardware, or user actions needed to trigger the vulnerable behavior. On shared systems, remote desktop hosts, developer workstations, and servers where an initial foothold is a realistic threat, that prerequisite is not especially reassuring.
The Fix Reaches Multiple Windows Generations
Microsoft lists a broad range of desktop and server products as affected. The exposure includes Windows 11 versions 24H2, 25H2, and 26H1; supported Windows 10 installations; and Windows Server releases extending from Server 2012 through Server 2025.For current Windows 11 systems, KB5101650 raises Windows 11 24H2 to OS Build 26100.8875 and Windows 11 25H2 to Build 26200.8875. Microsoft’s CVE record treats earlier builds in those servicing branches as vulnerable.
Windows 10 systems receiving Extended Security Updates are covered by KB5099539. The package advances Windows 10 22H2 to Build 19045.7548 and Windows 10 21H2 to Build 19044.7548. Organizations still operating these releases should remember that patch availability now depends on the applicable ESU or long-term servicing entitlement rather than ordinary consumer support.
The server-side fixed-build thresholds include:
- Windows Server 2016 reaches Build 14393.9339 through KB5099535.
- Windows Server 2019 reaches Build 17763.9020 through KB5099538.
- Windows Server 2022 reaches Build 20348.5386 through KB5099540.
- Windows Server 2025 reaches Build 26100.33158 through KB5099536.
- Windows Server 2012 and Server 2012 R2 receive their respective July monthly rollups, KB5099445 and KB5099444.
Windows 11 26H1 has its own servicing branch. Microsoft’s records identify affected builds below the corrected thresholds in the 28000 series, including systems that had only reached the June 2026 security level. Administrators managing 26H1 devices should verify the installed cumulative update rather than assuming that a recent-looking build is sufficient.
Because Windows cumulative updates supersede earlier packages, users do not need to locate a stand-alone CVE-2026-50475 patch. Installing the applicable July 14 cumulative update—or a later superseding update—delivers the kernel correction alongside the month’s other security fixes.
Patch Priority Depends on the Initial Foothold
CVE-2026-50475 should not outrank July’s actively exploited vulnerabilities or unauthenticated remote-code-execution flaws. The Zero Day Initiative characterized Microsoft’s July 2026 release as exceptionally large, with hundreds of fixes and two vulnerabilities already under active attack. Enterprises will reasonably deploy those higher-risk corrections first.The kernel disclosure still belongs in the normal security-update window. Its local, low-privilege attack model makes it especially relevant where many users or workloads share the same Windows host. Remote Desktop Session Hosts, jump servers, build machines, virtual desktop infrastructure, and developer systems all present plausible scenarios in which an attacker already has limited execution but wants information needed for the next stage.
Endpoint teams should verify deployment using the installed KB and OS build, not merely the date of the last successful update scan. Windows Update for Business, Microsoft Intune, Configuration Manager, and WSUS reports can show a device as recently contacted while the July cumulative update remains pending, failed, or awaiting a restart.
Testing also matters because the July packages contain changes beyond this CVE. Microsoft notes that updates released on or after July 14 introduce transport-registration hardening that can affect applications relying on unregistered third-party TDI transports. Windows 11 KB5101650 was also temporarily unavailable to a limited set of Dell devices with Intel processors because of a reported compatibility issue involving shutdowns, performance, heat, and battery use.
Those compatibility considerations justify staged deployment, not omission. Pilot the update against kernel-sensitive software such as endpoint security agents, VPN clients, storage filters, backup products, and legacy networking tools, then move patched builds into production once basic stability checks pass.
For individual Windows users, the action is simpler: install the July 2026 cumulative update through Windows Update and complete the restart. For administrators, the measurable endpoint is a fleet in which no supported device remains below its corrected July build threshold. CVE-2026-50475 is not an emergency zero-day, but every unpatched kernel information leak leaves an avoidable advantage available to an attacker who has already crossed the first boundary.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org