Microsoft’s July 14, 2026 security updates fix CVE-2026-57093, a Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability that can allow an authenticated local attacker to reach higher privileges on an affected machine. The flaw is rated 7.0 under CVSS 3.1 and affects a broad range of supported client and server releases, making this a patching priority for organizations that rely on ordinary-user endpoints, shared servers, jump boxes, and developer workstations.
Microsoft published the advisory as part of its July 2026 security release. The CVE Program’s record describes the underlying weakness as a use-after-free condition in the Windows Ancillary Function Driver for WinSock, commonly known as AFD. In plain terms, that means the driver may continue using memory after it has been released—a class of kernel-level memory-safety flaw that can be difficult to exploit reliably, but can deliver powerful results when an attacker succeeds.
This is not a network-worm scenario and does not mean that merely being connected to a hostile Wi-Fi network exposes a PC. An attacker needs local access and an authenticated account, according to the vulnerability record. But that constraint is less comforting in real intrusions than it first appears: malware, a compromised standard user, a remote-access foothold, or an insider with a low-privilege account can all provide the starting point needed for a local privilege-escalation chain.
AFD is a kernel-mode component used by the Windows networking stack to support socket operations for WinSock applications. It sits below everyday software that communicates over networks, which is why Windows vulnerabilities in this driver regularly appear across many product generations instead of being isolated to one application or optional feature.
Microsoft’s affected-product data covers Windows 10 version 1607 and version 1809; Windows 10 21H2 and 22H2; Windows 11 24H2, 25H2, and 26H1; Windows Server 2012 and 2012 R2; and Windows Server 2016, 2019, 2022, and 2025. Both full-server and Server Core installations are included where applicable.
The affected architectures also matter. Windows 10 entries include 32-bit, x64, and—in newer releases—Arm64 systems. Windows 11 entries cover x64 and Arm64. That means the issue cannot safely be treated as a legacy x86-only concern or a server-only problem.
Microsoft’s advisory identifies the July 14 cumulative updates as the remediation path. For the current Windows 11 servicing branches, the relevant baseline is KB5101650, which advances Windows 11 24H2 to build 26100.8875 and Windows 11 25H2 to build 26200.8875. Windows 11 26H1 receives KB5101649, build 28000.2525.
For Windows 10 21H2 and 22H2 servicing channels, KB5099539 takes systems to builds 19044.7548 and 19045.7548. Windows Server estates must follow the applicable July cumulative update for their individual servicing branch rather than attempting to deploy a client package across server SKUs.
A successful kernel-level elevation can undermine the protections administrators expect from User Account Control, application restrictions, service permissions, and user-profile boundaries. It can also make persistence, credential theft, endpoint-defense tampering, and lateral movement substantially easier.
The technical prerequisites reported for CVE-2026-57093 temper its immediate exposure. The CVSS assessment reflects local attack vector, low privileges required, no user interaction, and high attack complexity. High attack complexity should not be read as “safe to defer”; it means exploitation is expected to require conditions beyond simply running a trivial proof of concept.
Equally important, Microsoft has not provided public technical reproduction details in the advisory material available at publication. The CVE record confirms the vulnerability and identifies its use-after-free root cause, but it does not disclose a reliable exploit technique. That limits what defenders can hunt for specifically today, while also giving patch deployment a window before technical research or weaponized code becomes more accessible.
The build thresholds Microsoft lists include:
Administrators can verify a device’s version using
That compatibility notice is separate from CVE-2026-57093, and it would be a mistake to present it as a mitigation for the AFD bug. It does, however, reinforce the case for a disciplined deployment plan in environments with legacy network tools, specialist security agents, monitoring software, or proprietary line-of-business applications that hook into Windows networking behavior.
Windows 11 24H2 and 25H2 deployments have an additional distribution wrinkle. Microsoft says KB5101650 may be temporarily unavailable for a limited set of Dell systems with Intel processors because Dell reported potential unexpected shutdowns, reduced performance, elevated heat, and battery drain. Organizations with affected devices should track the vendor and Microsoft resolution rather than forcing an update outside approved servicing guidance.
For most other managed endpoints, this should move through normal expedited security-update rings. Test the update against networking-dependent business software, confirm successful installation and post-reboot build numbers, then move rapidly to broad deployment.
CVE-2026-57093 is not the loudest vulnerability in Microsoft’s July release, but it lands in a deeply embedded Windows kernel component and converts a low-privilege foothold into a potentially much more serious compromise. The practical decision is straightforward: bring supported Windows clients and servers to the July 14, 2026 cumulative update level—or later—and treat exceptions as time-limited operational risks, not a reason to leave AFD unpatched.
Microsoft published the advisory as part of its July 2026 security release. The CVE Program’s record describes the underlying weakness as a use-after-free condition in the Windows Ancillary Function Driver for WinSock, commonly known as AFD. In plain terms, that means the driver may continue using memory after it has been released—a class of kernel-level memory-safety flaw that can be difficult to exploit reliably, but can deliver powerful results when an attacker succeeds.
This is not a network-worm scenario and does not mean that merely being connected to a hostile Wi-Fi network exposes a PC. An attacker needs local access and an authenticated account, according to the vulnerability record. But that constraint is less comforting in real intrusions than it first appears: malware, a compromised standard user, a remote-access foothold, or an insider with a low-privilege account can all provide the starting point needed for a local privilege-escalation chain.
A WinSock Kernel Component Makes the Scope Broad
AFD is a kernel-mode component used by the Windows networking stack to support socket operations for WinSock applications. It sits below everyday software that communicates over networks, which is why Windows vulnerabilities in this driver regularly appear across many product generations instead of being isolated to one application or optional feature.Microsoft’s affected-product data covers Windows 10 version 1607 and version 1809; Windows 10 21H2 and 22H2; Windows 11 24H2, 25H2, and 26H1; Windows Server 2012 and 2012 R2; and Windows Server 2016, 2019, 2022, and 2025. Both full-server and Server Core installations are included where applicable.
The affected architectures also matter. Windows 10 entries include 32-bit, x64, and—in newer releases—Arm64 systems. Windows 11 entries cover x64 and Arm64. That means the issue cannot safely be treated as a legacy x86-only concern or a server-only problem.
Microsoft’s advisory identifies the July 14 cumulative updates as the remediation path. For the current Windows 11 servicing branches, the relevant baseline is KB5101650, which advances Windows 11 24H2 to build 26100.8875 and Windows 11 25H2 to build 26200.8875. Windows 11 26H1 receives KB5101649, build 28000.2525.
For Windows 10 21H2 and 22H2 servicing channels, KB5099539 takes systems to builds 19044.7548 and 19045.7548. Windows Server estates must follow the applicable July cumulative update for their individual servicing branch rather than attempting to deploy a client package across server SKUs.
The Exploit Path Is Local, but the Prize Is SYSTEM-Level Control
Elevation-of-privilege bugs are frequently the second half of an attack. A phishing attachment, malicious browser extension, exploited third-party application, stolen VPN credential, or abused remote-management tool may initially execute under a constrained user account. Local privilege escalation can then turn that limited foothold into control over the device itself.A successful kernel-level elevation can undermine the protections administrators expect from User Account Control, application restrictions, service permissions, and user-profile boundaries. It can also make persistence, credential theft, endpoint-defense tampering, and lateral movement substantially easier.
The technical prerequisites reported for CVE-2026-57093 temper its immediate exposure. The CVSS assessment reflects local attack vector, low privileges required, no user interaction, and high attack complexity. High attack complexity should not be read as “safe to defer”; it means exploitation is expected to require conditions beyond simply running a trivial proof of concept.
Equally important, Microsoft has not provided public technical reproduction details in the advisory material available at publication. The CVE record confirms the vulnerability and identifies its use-after-free root cause, but it does not disclose a reliable exploit technique. That limits what defenders can hunt for specifically today, while also giving patch deployment a window before technical research or weaponized code becomes more accessible.
Build Numbers Are the Fastest Validation Check
For administrators, the most useful immediate check is whether endpoints have installed the July 14 quality update—or a later cumulative update that supersedes it. Cumulative servicing means organizations do not need a standalone hotfix for CVE-2026-57093; the appropriate current monthly Windows update carries the fix.The build thresholds Microsoft lists include:
- Windows 11 24H2 is affected below build 26100.8875, while Windows 11 25H2 is affected below build 26200.8875.
- Windows 11 26H1 is affected below build 28000.2525.
- Windows 10 22H2 is affected below build 19045.7548, and Windows 10 21H2 is affected below build 19044.7548.
- Windows Server 2025 is affected below build 26100.33158, while Windows Server 2022 is affected below build 20348.5386.
- Windows Server 2019 and Windows Server 2016 are affected below builds 17763.9020 and 14393.9339, respectively.
Administrators can verify a device’s version using
winver, Settings’ Windows Update history, PowerShell inventory, Microsoft Intune reporting, Windows Server Update Services, or their endpoint-management platform. A system that has installed a later cumulative update should also contain the security fix, assuming the later release remains applicable to that servicing branch.July’s Networking Change Deserves Separate Testing
The July 14 Windows updates also introduce a networking hardening change that enforces Transport Driver Interface, or TDI, transport registration requirements. Microsoft says software that uses sockets over an unregistered third-party TDI transport may stop working after the update; registered transports are not affected.That compatibility notice is separate from CVE-2026-57093, and it would be a mistake to present it as a mitigation for the AFD bug. It does, however, reinforce the case for a disciplined deployment plan in environments with legacy network tools, specialist security agents, monitoring software, or proprietary line-of-business applications that hook into Windows networking behavior.
Windows 11 24H2 and 25H2 deployments have an additional distribution wrinkle. Microsoft says KB5101650 may be temporarily unavailable for a limited set of Dell systems with Intel processors because Dell reported potential unexpected shutdowns, reduced performance, elevated heat, and battery drain. Organizations with affected devices should track the vendor and Microsoft resolution rather than forcing an update outside approved servicing guidance.
For most other managed endpoints, this should move through normal expedited security-update rings. Test the update against networking-dependent business software, confirm successful installation and post-reboot build numbers, then move rapidly to broad deployment.
CVE-2026-57093 is not the loudest vulnerability in Microsoft’s July release, but it lands in a deeply embedded Windows kernel component and converts a low-privilege foothold into a potentially much more serious compromise. The practical decision is straightforward: bring supported Windows clients and servers to the July 14, 2026 cumulative update level—or later—and treat exceptions as time-limited operational risks, not a reason to leave AFD unpatched.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com