CVE-2026-50661 BitLocker Bypass Fixed in July 14 Windows Updates

Microsoft has patched CVE-2026-50661, a publicly disclosed BitLocker vulnerability that could let an unauthorized attacker bypass a Windows security feature after gaining physical access to a device. The fix arrived in the July 14, 2026 security updates and affects supported Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 installations.
Detailed in Microsoft’s Security Update Guide, the flaw carries a CVSS 3.1 base score of 6.1 and is classified as a Windows BitLocker security feature bypass. Microsoft says exploitation requires a physical attack, but no privileges or user interaction are required once the attacker has access to the machine.
The vulnerability was publicly known before the update became available, although Microsoft had not reported active exploitation as of July 15. The company assessed exploitation as less likely, making this a patching priority for organizations exposed to device theft, hostile physical access, or hardware passing through untrusted hands rather than an internet-facing emergency.

A laptop displays BitLocker encryption and a patched CVE-2026-50661 update, with security progress at 100%.A Medium Score Masks a High-Impact Outcome​

CVE-2026-50661 is categorized under CWE-693, Protection Mechanism Failure. Microsoft’s description is notably brief: a protection mechanism failure in BitLocker can allow an unauthorized attacker to bypass a security feature through a physical attack.
The CVSS vector — CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N — provides more useful context. It identifies physical access as mandatory, rates the attack complexity as low, and indicates that neither existing privileges nor victim interaction are required. A successful attack could have a high effect on confidentiality and integrity, although Microsoft assigns no availability impact.
That explains why the numerical score remains in the medium range while the potential result remains serious. Physical access sharply limits the population of plausible attackers, but BitLocker exists specifically to protect data when a computer or storage device is lost, stolen, removed from controlled premises, or accessed offline.
For a home desktop in a locked room, the threat may be relatively remote. For an executive laptop, administrator workstation, field-service PC, kiosk, branch-office server, or device awaiting disposal, the physical attack requirement is considerably less reassuring.
The National Vulnerability Database was still awaiting its own enrichment analysis immediately after publication. Its initial record reproduced Microsoft’s CVSS score and identified the report as confirmed, but it did not add technical detail about the affected BitLocker component or the precise bypass sequence.

The July Builds Draw the Remediation Line​

Microsoft’s affected-product data establishes the patched build thresholds. Systems below the following builds should be treated as vulnerable unless Microsoft subsequently revises the advisory:
  • Windows 10 version 1607 and Windows Server 2016 must be updated to build 14393.9339.
  • Windows 10 version 1809 and Windows Server 2019 must be updated to build 17763.9020 through KB5099538.
  • Windows 10 version 21H2 must reach build 19044.7548, while version 22H2 must reach build 19045.7548 through KB5099539.
  • Windows 11 versions 24H2 and 25H2 must reach builds 26100.8875 and 26200.8875 respectively through KB5101650.
  • Windows 11 version 26H1 must reach build 28000.2525 through KB5101649.
  • Windows Server 2022 must reach build 20348.5386 through KB5099540.
  • Windows Server 2025 must reach build 26100.33158.
The Server Core variants of Windows Server 2016, 2019, and 2025 are also listed as affected. The breadth of the product list suggests the vulnerable behavior resides in a Windows component shared across multiple generations rather than in a feature exclusive to the newest Windows 11 release.
Windows administrators should verify the installed OS build rather than relying only on a successful Windows Update scan. This is particularly important for servers with delayed maintenance windows, Windows 10 devices receiving Extended Security Updates, and systems managed through WSUS, Microsoft Configuration Manager, or third-party patching platforms.
For Windows 11 24H2 and 25H2, the shared KB5101650 package produces different build numbers depending on the installed feature release. Inventory tools therefore need to evaluate both the Windows version and its build revision rather than checking for the KB identifier alone.

Public Disclosure Changes the Patching Calculation​

Microsoft marked CVE-2026-50661 as publicly disclosed but not exploited. That distinction matters: public awareness does not prove that reliable attack code is circulating, yet it can shorten the time required for researchers or attackers to reproduce the underlying weakness.
The company also described exploitation as less likely. That assessment should guide prioritization, but it should not be mistaken for a guarantee that exploitation will remain impractical. The CVSS vector’s low-complexity rating indicates that Microsoft does not consider the physical attack itself unusually difficult once the necessary conditions are met.
The immediate response should consequently be based on physical exposure, not simply the CVSS number. Organizations should accelerate the July update for laptops, portable workstations, devices used by privileged administrators, systems holding regulated data, and machines deployed in publicly accessible or lightly supervised locations.
BitLocker’s deployment mode also deserves review. A TPM-only configuration is convenient because Windows can unlock the operating-system volume without asking the user for a preboot secret, but organizations facing stronger physical threats often require additional authentication such as a startup PIN. Microsoft has not presented configuration changes as a substitute for installing the CVE-2026-50661 update, however, and administrators should not assume that an existing PIN policy definitively blocks an undisclosed attack path.
Recovery keys remain another operational concern. Administrators should confirm that keys are escrowed in Microsoft Entra ID, Active Directory Domain Services, or another approved management system before broad deployment. That preparation does not mitigate the vulnerability, but it reduces the risk of an update, firmware interaction, or recovery event leaving a legitimate user locked out.

This Is Not a Remote BitLocker Break​

Nothing in Microsoft’s advisory indicates that CVE-2026-50661 can be exploited over a network. It is not a remote-code-execution vulnerability, and there is no indication that an attacker can scan the internet for BitLocker-enabled PCs and bypass their encryption from afar.
The advisory also does not say that BitLocker’s encryption algorithm has been cryptographically broken. A security feature bypass typically means that an attacker can find a path around an intended protection boundary or trusted workflow. Without technical documentation from Microsoft or the original researcher, claims about the precise mechanism would be speculation.
That caution is particularly important because CVE-2026-50661 is separate from earlier BitLocker and Windows Recovery Environment issues disclosed during 2026. Similar impact descriptions do not establish that two CVEs share the same root cause, exploit procedure, or mitigation.
For users, the practical advice is straightforward: install the July 2026 cumulative update, restart the device, and confirm the resulting Windows build. BitLocker should remain enabled; disabling drive encryption in response to a bypass vulnerability would remove the protection entirely and create a much simpler route to offline data theft.
For enterprise IT, the next milestone is patch-compliance evidence. A deployment report showing KB5101650 or another applicable package was approved is not enough—the meaningful result is that high-risk endpoints and servers have successfully reached Microsoft’s fixed build thresholds. Until they do, a stolen or physically compromised Windows system may not receive the BitLocker protection its owner expects.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Official source: learn.microsoft.com
  4. Related coverage: techradar.com
  5. Related coverage: windowscentral.com
  6. Related coverage: pcgamer.com
 

Back
Top