CVE-2026-56173, a high-severity Windows WebView elevation-of-privilege vulnerability, was fixed in Microsoft’s July 14, 2026 security updates. The flaw affects multiple Windows 10, Windows 11, and Windows Server releases, allowing a locally authenticated attacker to raise privileges after exploiting a use-after-free memory error.
Microsoft assigned the vulnerability a CVSS 3.1 base score of 7.0 and classified its impact as elevation of privilege. The Microsoft Security Response Center disclosed the issue through its Security Update Guide, while the National Vulnerability Database lists the record as awaiting additional enrichment rather than disputing Microsoft’s assessment.
For administrators, the immediate action is straightforward: deploy the July 2026 cumulative updates and verify the resulting Windows build, particularly on shared workstations, remote desktop hosts, application servers, and other systems where untrusted users can run code.
Microsoft describes CVE-2026-56173 as a use-after-free vulnerability in Windows WebView. This class of memory-safety defect occurs when software continues using an object after the associated memory has been released, potentially allowing an attacker to influence what occupies that memory next.
The published CVSS vector is
Attack complexity is rated high, which lowers the score from the 7.8 commonly assigned to straightforward local privilege-escalation bugs. That rating suggests successful exploitation depends on conditions beyond simply launching a prepared executable, such as arranging memory in a particular state or winning a timing-sensitive operation.
The consequences remain serious if those conditions can be met. Elevation of privilege can turn an ordinary user account or an initial foothold obtained through another vulnerability into broader control over the affected machine. An attacker could potentially access protected information, alter system resources, disable defenses, or establish persistence with privileges unavailable to the original account.
CVE-2026-56173 is therefore more likely to appear as part of an attack chain than as the opening move. A phishing payload, compromised application, malicious insider, or attacker with limited remote access could use a local privilege-escalation flaw to escape the restrictions imposed on that initial session.
Microsoft’s July cumulative updates move systems to fixed builds. Windows 11 versions 24H2 and 25H2 receive KB5101650, taking them to OS builds 26100.8875 and 26200.8875 respectively. Windows 11 version 23H2 reaches build 22631.7376 through KB5099414, while Windows 10 versions 21H2 and 22H2 reach builds 19044.7548 and 19045.7548 through KB5099539.
For Windows Server 2019 and Windows 10 version 1809, KB5099538 advances the operating system to build 17763.9020. Microsoft says it is not currently aware of issues specific to that cumulative update, although organizations still need to account for the package’s other security hardening and quality changes during deployment testing.
Windows 11 version 26H1 receives the newer July cumulative update KB5101649, which takes the operating system to build 28000.2525. That build is newer than the vulnerable boundary recorded for CVE-2026-56173, so administrators should use the current cumulative-update level rather than treating the CVE database’s lower boundary as a recommendation to install an older package.
A confirmed confidence rating generally means the vendor has acknowledged the vulnerability, detailed reports or reproducible evidence exist, or the affected source code can independently substantiate the finding. In this case, Microsoft is both the assigning CVE authority and the vendor shipping the correction, so there is little uncertainty about whether the defect is real.
That confidence also does not mean a public proof-of-concept exploit is available. As of July 15, neither Microsoft’s published description nor the initial NVD record provides exploit code, detailed memory-corruption mechanics, or a step-by-step attack scenario. The NVD entry remains marked “Awaiting Enrichment,” reflecting the record’s newness and limited public technical detail.
Administrators should therefore keep three separate concepts in view:
That embedded role makes WebView vulnerabilities operationally important. Security teams cannot assume that blocking direct browser use or standardizing on another default browser removes the affected Windows component. Applications that host web content, authentication interfaces, help panels, setup experiences, or hybrid user interfaces may still depend on the underlying technology.
Microsoft has not publicly identified a specific application workflow required to trigger CVE-2026-56173. It would consequently be premature to claim that visiting an arbitrary website is sufficient, or that updating only the separately serviced Microsoft Edge WebView2 Runtime resolves the operating-system vulnerability.
The affected-build data points administrators toward the Windows cumulative updates as the supported remediation. Enterprises should avoid relying on browser policy, application allowlisting, or removal of a visible WebView-based app as a substitute for updating the operating system.
A practical validation cycle should check the OS build with
Shared systems deserve particular attention. Remote Desktop Session Hosts, jump servers, virtual desktop infrastructure, developer workstations, kiosks that permit application execution, and machines used by contractors all give lower-privileged accounts opportunities to interact with local components.
Microsoft’s July updates contain many changes beyond CVE-2026-56173, so staged testing remains sensible. However, the combination of confirmed memory corruption, privilege escalation, no required user interaction, and high impact across all three security dimensions argues against leaving the update in an extended pilot solely because exploitation is rated complex.
The meaningful endpoint is not that KB5101650, KB5099539, KB5099414, KB5099538, or KB5101649 appears in a deployment console. It is that every affected device has installed the appropriate July 14, 2026 cumulative update, restarted where required, and reports a fixed build rather than merely an approved patch.
Microsoft assigned the vulnerability a CVSS 3.1 base score of 7.0 and classified its impact as elevation of privilege. The Microsoft Security Response Center disclosed the issue through its Security Update Guide, while the National Vulnerability Database lists the record as awaiting additional enrichment rather than disputing Microsoft’s assessment.
For administrators, the immediate action is straightforward: deploy the July 2026 cumulative updates and verify the resulting Windows build, particularly on shared workstations, remote desktop hosts, application servers, and other systems where untrusted users can run code.
A Local Flaw With System-Level Consequences
Microsoft describes CVE-2026-56173 as a use-after-free vulnerability in Windows WebView. This class of memory-safety defect occurs when software continues using an object after the associated memory has been released, potentially allowing an attacker to influence what occupies that memory next.The published CVSS vector is
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access and low existing privileges, does not require another user to interact with a prompt or malicious file, and carries high potential impact to confidentiality, integrity, and availability.Attack complexity is rated high, which lowers the score from the 7.8 commonly assigned to straightforward local privilege-escalation bugs. That rating suggests successful exploitation depends on conditions beyond simply launching a prepared executable, such as arranging memory in a particular state or winning a timing-sensitive operation.
The consequences remain serious if those conditions can be met. Elevation of privilege can turn an ordinary user account or an initial foothold obtained through another vulnerability into broader control over the affected machine. An attacker could potentially access protected information, alter system resources, disable defenses, or establish persistence with privileges unavailable to the original account.
CVE-2026-56173 is therefore more likely to appear as part of an attack chain than as the opening move. A phishing payload, compromised application, malicious insider, or attacker with limited remote access could use a local privilege-escalation flaw to escape the restrictions imposed on that initial session.
The Affected Builds Span Several Windows Generations
The CVE record covers a broad selection of client and server platforms. According to the affected-version information supplied by Microsoft and reproduced by the National Vulnerability Database, vulnerable builds include:- Windows 10 version 1809 builds earlier than 17763.9020.
- Windows 10 version 21H2 builds earlier than 19044.7548.
- Windows 10 version 22H2 builds earlier than 19045.7548.
- Windows 11 version 23H2 builds earlier than 22631.7376.
- Windows 11 version 24H2 builds earlier than 26100.8875.
- Windows 11 version 25H2 builds earlier than 26200.8875.
- Windows 11 version 26H1 builds within the affected range recorded by Microsoft.
- Windows Server 2019 builds earlier than 17763.9020.
Microsoft’s July cumulative updates move systems to fixed builds. Windows 11 versions 24H2 and 25H2 receive KB5101650, taking them to OS builds 26100.8875 and 26200.8875 respectively. Windows 11 version 23H2 reaches build 22631.7376 through KB5099414, while Windows 10 versions 21H2 and 22H2 reach builds 19044.7548 and 19045.7548 through KB5099539.
For Windows Server 2019 and Windows 10 version 1809, KB5099538 advances the operating system to build 17763.9020. Microsoft says it is not currently aware of issues specific to that cumulative update, although organizations still need to account for the package’s other security hardening and quality changes during deployment testing.
Windows 11 version 26H1 receives the newer July cumulative update KB5101649, which takes the operating system to build 28000.2525. That build is newer than the vulnerable boundary recorded for CVE-2026-56173, so administrators should use the current cumulative-update level rather than treating the CVE database’s lower boundary as a recommendation to install an older package.
“Confirmed” Does Not Mean Exploitation Has Been Observed
The report-confidence language shown in Microsoft’s advisory is easy to misread. It measures confidence that the vulnerability exists and that the available technical description is credible; it is not an indication that attackers are already exploiting the flaw.A confirmed confidence rating generally means the vendor has acknowledged the vulnerability, detailed reports or reproducible evidence exist, or the affected source code can independently substantiate the finding. In this case, Microsoft is both the assigning CVE authority and the vendor shipping the correction, so there is little uncertainty about whether the defect is real.
That confidence also does not mean a public proof-of-concept exploit is available. As of July 15, neither Microsoft’s published description nor the initial NVD record provides exploit code, detailed memory-corruption mechanics, or a step-by-step attack scenario. The NVD entry remains marked “Awaiting Enrichment,” reflecting the record’s newness and limited public technical detail.
Administrators should therefore keep three separate concepts in view:
- Microsoft has confirmed that the vulnerability exists.
- The vulnerability has a high potential impact if successfully exploited.
- The available public record does not, by itself, establish active exploitation or public disclosure before the patch.
WebView Expands the Reach Beyond the Browser Window
Windows WebView technology allows applications and operating-system experiences to display web-based content within a native interface. Users may encounter such content without deliberately opening Microsoft Edge or thinking of the program as a browser.That embedded role makes WebView vulnerabilities operationally important. Security teams cannot assume that blocking direct browser use or standardizing on another default browser removes the affected Windows component. Applications that host web content, authentication interfaces, help panels, setup experiences, or hybrid user interfaces may still depend on the underlying technology.
Microsoft has not publicly identified a specific application workflow required to trigger CVE-2026-56173. It would consequently be premature to claim that visiting an arbitrary website is sufficient, or that updating only the separately serviced Microsoft Edge WebView2 Runtime resolves the operating-system vulnerability.
The affected-build data points administrators toward the Windows cumulative updates as the supported remediation. Enterprises should avoid relying on browser policy, application allowlisting, or removal of a visible WebView-based app as a substitute for updating the operating system.
Patch Validation Matters More Than Package Approval
Because Microsoft distributes these fixes through cumulative updates, organizations do not need to deploy a standalone CVE-specific patch. The relevant July package must install successfully, the system must complete any required restart, and inventory tools must report a build at or above the corrected level.A practical validation cycle should check the OS build with
winver, PowerShell inventory, Configuration Manager, Microsoft Intune, Windows Update for Business reporting, or the organization’s vulnerability-management platform. Administrators should also investigate machines that report the KB as approved but remain on an earlier build, since pending reboots and installation rollbacks can create misleading compliance results.Shared systems deserve particular attention. Remote Desktop Session Hosts, jump servers, virtual desktop infrastructure, developer workstations, kiosks that permit application execution, and machines used by contractors all give lower-privileged accounts opportunities to interact with local components.
Microsoft’s July updates contain many changes beyond CVE-2026-56173, so staged testing remains sensible. However, the combination of confirmed memory corruption, privilege escalation, no required user interaction, and high impact across all three security dimensions argues against leaving the update in an extended pilot solely because exploitation is rated complex.
The meaningful endpoint is not that KB5101650, KB5099539, KB5099414, KB5099538, or KB5101649 appears in a deployment console. It is that every affected device has installed the appropriate July 14, 2026 cumulative update, restarted where required, and reports a fixed build rather than merely an approved patch.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org
- Related coverage: encyb.com