CVE-2026-50476: Install July Updates to Fix Windows Privilege Escalation

Microsoft has fixed CVE-2026-50476, an Important-rated elevation-of-privilege vulnerability in the Windows Network Connections Service, through the July 14, 2026 security updates. The flaw spans supported Windows 11 releases, several Windows 10 servicing branches, and Windows Server versions from 2012 through 2025, making the cumulative update the practical remediation for administrators.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-50476 is a local use-after-free vulnerability. An attacker must already have low-level authorization on the target machine, but successful exploitation could cross a security boundary and produce high confidentiality, integrity, and availability impact.
Microsoft has assigned the vulnerability a CVSS 3.1 base score of 7.8. The company reported no active exploitation or public disclosure when the advisory was published on July 14, and its exploitability assessment places attacks in the “less likely” category.

Cybersecurity analyst monitors dashboards showing a blocked vulnerability, patch progress, and protected systems.Local Access Narrows the Door, Not the Damage​

CVE-2026-50476 is not a remote code execution flaw that can be triggered directly from another system. Its CVSS vector specifies a local attack requiring low privileges, no user interaction, and high attack complexity: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.
In operational terms, an attacker would first need to run code or otherwise obtain an authorized foothold on the Windows device. That makes the vulnerability more useful as the second stage of an intrusion than as the initial entry point—malware, a compromised account, or another vulnerability could provide local access before CVE-2026-50476 is used to escape the restrictions of that foothold.
The “high” attack-complexity rating also signals that exploitation depends on conditions beyond simply calling a vulnerable function. Microsoft has not published a technical explanation or proof of concept, so it remains unclear whether an attacker must manipulate object timing, memory allocation patterns, service state, or another environmental condition.
A use-after-free occurs when software continues to access memory after the object occupying that memory has been released. If an attacker can influence what replaces the freed object, the resulting memory corruption may redirect execution or alter security-sensitive state. Microsoft identifies the underlying weakness as CWE-416, but has not disclosed the affected function or an attack sequence.
The scope-change component of the CVSS vector is particularly relevant. Microsoft’s scoring indicates that exploitation can affect resources governed by a security authority beyond the vulnerable component itself, while the high impact ratings indicate potentially complete compromise of confidentiality, integrity, and availability in the affected context. Microsoft’s public advisory does not explicitly state which final privilege level is obtained, so administrators should not assume more detail than the published scoring supports.

The Fix Reaches Across Windows Generations​

The affected-product range is unusually broad. According to Microsoft’s CVE record as reproduced by the NVD, vulnerable installations include Windows 10 Version 1607, Version 1809, Version 21H2, and Version 22H2, alongside Windows 11 Versions 24H2, 25H2, and 26H1.
The server list extends from Windows Server 2012 and Windows Server 2012 R2 through Windows Server 2016, 2019, 2022, and 2025. Server Core installations are included where applicable, so stripping away the graphical interface does not remove exposure to the vulnerable service code.
Administrators can use the patched build thresholds to check deployment rather than relying solely on update-console status:
  • Windows 10 Version 1607 and Windows Server 2016 are protected at build 14393.9339 or later through KB5099535.
  • Windows 10 Version 1809 and Windows Server 2019 are protected at build 17763.9020 or later through KB5099538.
  • Windows 10 Version 21H2 and 22H2 are protected at builds 19044.7548 and 19045.7548 through KB5099539.
  • Windows 11 Version 24H2 is protected at build 26100.8875 through KB5101650.
  • Windows 11 Version 25H2 receives the same cumulative-update family, with Microsoft’s published servicing information placing it in the 26200.887x build range.
  • Windows 11 Version 26H1 is outside the affected range at build 28000.2269 or later.
  • Windows Server 2022 is protected at build 20348.5386 through KB5099540.
  • Windows Server 2025 is protected at build 26100.33158 through KB5099536.
Windows 10 Version 22H2 deserves a separate inventory check because ordinary free support ended on October 14, 2025. KB5099539 is an Extended Security Updates release for eligible Windows 10 22H2 devices, while Windows 10 Enterprise LTSC 2021 remains serviced under its own lifecycle. A machine stuck below build 19045.7548 because it is neither enrolled in ESU nor migrated to a supported Windows release remains exposed.
The same lifecycle issue applies to Windows Server 2012 and 2012 R2, which require the appropriate Extended Security Updates path. The CVE record listing an old operating system does not mean every installation will automatically receive the patch through Windows Update.

Report Confidence Is Not an Exploitation Forecast​

The text supplied in Microsoft’s advisory describes the CVSS report confidence metric, which Microsoft marks as confirmed. That designation means the vendor has sufficient confidence that the vulnerability exists and that the technical report is credible; it does not mean attacks have been observed.
That distinction matters because several separate fields can otherwise be conflated. CVE-2026-50476 was confirmed by Microsoft, but was not publicly disclosed and was not known to be exploited when the July update shipped. CISA’s initial decision data likewise recorded no exploitation while rating the potential technical impact as total.
Microsoft also rates exploitation as less likely, not impossible. High-complexity local privilege-escalation vulnerabilities may become more practical after researchers compare patched and unpatched binaries, understand the corrected memory-management path, and develop techniques for reliably controlling allocation behavior.
The July release itself is exceptionally large. BleepingComputer counted 570 Microsoft vulnerabilities fixed on July 14, including 254 elevation-of-privilege issues and three zero-days. CVE-2026-50476 was not one of those zero-days, but the volume creates a deployment challenge: an Important local flaw can disappear inside a patch queue dominated by actively exploited and Critical vulnerabilities.
That does not justify treating it as an emergency above every other July issue. It does justify confirming that broad Windows cumulative-update deployment has not left behind domain-joined workstations, multi-user servers, virtual desktop hosts, kiosk systems, or Windows 10 ESU devices where an existing foothold could be converted into a more damaging compromise.

Patch Validation Matters More Than Service Workarounds​

Microsoft has not published a mitigation or workaround for CVE-2026-50476. Disabling network adapters or blocking inbound traffic is not an equivalent defense because the vulnerability is locally exploitable; its component name should not be mistaken for evidence that an attacker must arrive over the network.
The appropriate response is to deploy the applicable July cumulative update, restart where required, and verify the resulting OS build. Organizations using WSUS, Microsoft Configuration Manager, Windows Autopatch, or third-party patching platforms should validate installation by build number as well as KB compliance, particularly on systems requiring a servicing-stack prerequisite or ESU entitlement.
Security teams should continue treating low-privilege code execution as a meaningful boundary. Application allowlisting, reduced local administrator membership, endpoint detection, credential protections, and segmentation can restrict the attacker’s initial foothold, but none removes the need to correct the underlying memory-safety defect.
For CVE-2026-50476, the immediate milestone is clear: Windows 11 24H2 systems should reach build 26100.8875, Windows 10 22H2 ESU systems should reach 19045.7548, and server fleets should meet their corresponding July 2026 build floors. Until those versions are visible in inventory, the Network Connections Service remains another route by which a limited local compromise could become a system-wide incident.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: tomshardware.com
 

Back
Top