CVE-2026-50359 is a high-severity Microsoft XML Core Services vulnerability that can let a locally authenticated attacker elevate privileges on affected Windows systems. Microsoft fixed the use-after-free flaw in its July 14, 2026 security updates, covering Windows 10, Windows 11, and Windows Server releases as old as Server 2012.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the flaw carries a CVSS 3.1 base score of 7.0. It is not a remote, unauthenticated entry point, but successful exploitation could give an attacker broad control over the confidentiality, integrity, and availability of the compromised machine.
Administrators should deploy the July cumulative or security-only updates rather than attempting to remove or disable Microsoft XML Core Services. MSXML remains a dependency for Windows components and older business applications, making component-level workarounds more likely to break software than to provide reliable protection.
Microsoft identifies the underlying weakness as CWE-416, or use after free. This class of memory-safety problem occurs when software continues to reference memory after the corresponding object has been released, potentially allowing an attacker to influence what subsequently occupies that memory.
The published description remains brief: an authorized attacker can exploit Microsoft XML Core Services locally to elevate privileges. Microsoft has not publicly documented the exact MSXML interface, parsing operation, or application workflow needed to trigger the vulnerable condition, and the NVD still lists the record as awaiting enrichment.
The CVSS vector provides more operational detail. Exploitation requires local access, low privileges, and no interaction from another user, while attack complexity is rated high. That combination means CVE-2026-50359 is principally a post-compromise privilege-escalation vulnerability, not something that can be triggered directly against an exposed Windows service over the internet.
High attack complexity should not be read as harmlessness. Local privilege escalation bugs are regularly paired with phishing, credential theft, malicious installers, browser exploits, or remote-access footholds. Once an attacker has obtained limited execution under a standard account, a vulnerability like this may provide the jump needed to tamper with protected data, disable defenses, establish deeper persistence, or take control of the operating system.
Microsoft’s scoring assigns high potential impact to confidentiality, integrity, and availability. The scope remains unchanged, meaning the privilege transition occurs within the same Windows security authority rather than crossing into a separate security domain.
Server exposure is similarly broad. Microsoft lists Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025, including applicable Server Core installations.
The patched build thresholds recorded for the vulnerability include:
Windows 10 21H2 and 22H2 entries also illustrate why inventory context is essential. The appearance of an operating-system version in a CVE record does not restore mainstream support for every edition or deployment. Updates may be available only to editions still serviced under Microsoft’s lifecycle policies or to devices covered by an Extended Security Updates program.
As of July 15, 2026, CISA’s SSVC data records no known exploitation and classifies the vulnerability as non-automatable. CVE-2026-50359 was also not one of the July Patch Tuesday vulnerabilities highlighted as publicly disclosed or exploited in the wild by Microsoft or contemporaneous Patch Tuesday reporting.
That distinction prevents the advisory language from creating unnecessary alarm. The vulnerability is real, Microsoft has issued a fix, and the potential impact is substantial, but the available evidence does not currently place it in zero-day or active-campaign territory.
The absence of observed exploitation is still only a point-in-time assessment. Patch publication gives attackers a starting point for comparing updated and unpatched binaries, and privilege-escalation vulnerabilities can become more useful once reliable exploit techniques emerge. Microsoft has disclosed too little technical detail to judge how practical that process will be for this particular use-after-free condition.
Because the affected MSXML functionality ships as part of Windows, there is no separate parser installer that administrators should deploy in place of the OS update. Microsoft has not published a configuration workaround or mitigation that offers equivalent protection.
Enterprise teams should therefore treat normal cumulative-update validation as the remediation path:
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the flaw carries a CVSS 3.1 base score of 7.0. It is not a remote, unauthenticated entry point, but successful exploitation could give an attacker broad control over the confidentiality, integrity, and availability of the compromised machine.
Administrators should deploy the July cumulative or security-only updates rather than attempting to remove or disable Microsoft XML Core Services. MSXML remains a dependency for Windows components and older business applications, making component-level workarounds more likely to break software than to provide reliable protection.
A Memory-Safety Bug With a Local Starting Point
Microsoft identifies the underlying weakness as CWE-416, or use after free. This class of memory-safety problem occurs when software continues to reference memory after the corresponding object has been released, potentially allowing an attacker to influence what subsequently occupies that memory.The published description remains brief: an authorized attacker can exploit Microsoft XML Core Services locally to elevate privileges. Microsoft has not publicly documented the exact MSXML interface, parsing operation, or application workflow needed to trigger the vulnerable condition, and the NVD still lists the record as awaiting enrichment.
The CVSS vector provides more operational detail. Exploitation requires local access, low privileges, and no interaction from another user, while attack complexity is rated high. That combination means CVE-2026-50359 is principally a post-compromise privilege-escalation vulnerability, not something that can be triggered directly against an exposed Windows service over the internet.
High attack complexity should not be read as harmlessness. Local privilege escalation bugs are regularly paired with phishing, credential theft, malicious installers, browser exploits, or remote-access footholds. Once an attacker has obtained limited execution under a standard account, a vulnerability like this may provide the jump needed to tamper with protected data, disable defenses, establish deeper persistence, or take control of the operating system.
Microsoft’s scoring assigns high potential impact to confidentiality, integrity, and availability. The scope remains unchanged, meaning the privilege transition occurs within the same Windows security authority rather than crossing into a separate security domain.
The Affected List Spans Current and Legacy Windows Fleets
The CVE record covers supported configurations across several generations of Windows. Client systems include Windows 10 versions 1607, 1809, 21H2, and 22H2, along with Windows 11 versions 24H2, 25H2, and 26H1.Server exposure is similarly broad. Microsoft lists Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025, including applicable Server Core installations.
The patched build thresholds recorded for the vulnerability include:
- Windows 10 version 1607 and Windows Server 2016 are protected at build 14393.9339 or later.
- Windows 10 version 1809 and Windows Server 2019 are protected at build 17763.9020 or later.
- Windows 10 version 21H2 is protected at build 19044.7548 or later.
- Windows 10 version 22H2 is protected at build 19045.7548 or later.
- Windows 11 versions 24H2 and 25H2 are protected at build 26100.8875 and 26200.8875 respectively.
- Windows Server 2022 is protected at build 20348.5386 or later.
- Windows Server 2025 is protected at build 26100.33158 or later.
- Windows Server 2012 and Server 2012 R2 require their corresponding July 2026 servicing-channel updates.
Windows 10 21H2 and 22H2 entries also illustrate why inventory context is essential. The appearance of an operating-system version in a CVE record does not restore mainstream support for every edition or deployment. Updates may be available only to editions still serviced under Microsoft’s lifecycle policies or to devices covered by an Extended Security Updates program.
“Confirmed” Describes the Finding, Not Active Exploitation
The report-confidence language displayed in Microsoft’s advisory is part of the CVSS temporal metrics. A value of confirmed indicates that the vulnerability’s existence and technical basis have been validated, including confirmation by the affected vendor. It does not mean attackers are known to be exploiting it.As of July 15, 2026, CISA’s SSVC data records no known exploitation and classifies the vulnerability as non-automatable. CVE-2026-50359 was also not one of the July Patch Tuesday vulnerabilities highlighted as publicly disclosed or exploited in the wild by Microsoft or contemporaneous Patch Tuesday reporting.
That distinction prevents the advisory language from creating unnecessary alarm. The vulnerability is real, Microsoft has issued a fix, and the potential impact is substantial, but the available evidence does not currently place it in zero-day or active-campaign territory.
The absence of observed exploitation is still only a point-in-time assessment. Patch publication gives attackers a starting point for comparing updated and unpatched binaries, and privilege-escalation vulnerabilities can become more useful once reliable exploit techniques emerge. Microsoft has disclosed too little technical detail to judge how practical that process will be for this particular use-after-free condition.
Cumulative Updates Are the Practical Fix
For current Windows 10, Windows 11, and supported Windows Server deployments, CVE-2026-50359 is addressed through the July 2026 operating-system security updates. Examples include KB5099535 for Windows Server 2016 and KB5099536 for Windows Server 2025, while other releases receive their own applicable cumulative update or monthly rollup.Because the affected MSXML functionality ships as part of Windows, there is no separate parser installer that administrators should deploy in place of the OS update. Microsoft has not published a configuration workaround or mitigation that offers equivalent protection.
Enterprise teams should therefore treat normal cumulative-update validation as the remediation path:
- Confirm that endpoint-management and vulnerability-scanning platforms recognize CVE-2026-50359 and the July 2026 supersedence chain.
- Prioritize multi-user systems, administrative workstations, jump hosts, and servers where lower-privileged users or service identities can execute code.
- Verify the installed OS build after deployment and reboot rather than relying solely on an update’s downloaded or installed status.
- Investigate legacy MSXML installations separately, but do not assume that removing an old side-by-side parser resolves the vulnerable Windows component.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com