CVE-2026-44800 is a high-severity elevation-of-privilege vulnerability in Windows Push Notifications that Microsoft fixed on July 14, 2026, with updates for Windows 11 and Windows Server 2025. The flaw requires an attacker to already have local access, but successful exploitation could raise that attacker’s privileges and provide broad control over the compromised system.
Microsoft rates the vulnerability Important, while its CVSS 3.1 base score of 7.8 places it in the high-severity range. The Microsoft Security Response Center describes the underlying defect as a race condition involving improperly synchronized access to a shared resource.
The vulnerability was disclosed through Microsoft’s July 2026 security release and subsequently entered into the National Vulnerability Database. Microsoft’s acknowledgment confirms that the flaw exists, but the publicly available technical information remains limited: there is no detailed attack sequence, proof-of-concept code, or description of the specific Windows Push Notifications object that becomes unsafe.
CVE-2026-44800 is not a vulnerability that an unauthenticated attacker can exploit directly over the internet. Microsoft’s CVSS vector specifies local access and low privileges, meaning an attacker must first sign in, execute code, or otherwise establish a foothold on the Windows device.
No user interaction is required once those conditions are met. That distinction matters on shared workstations, virtual desktop infrastructure, development machines, and servers where users or service accounts can execute untrusted code.
Microsoft assigns high potential impact to confidentiality, integrity, and availability. In practical terms, privilege escalation can turn an initially constrained compromise into one capable of reading protected information, modifying system resources, disabling security controls, installing persistent malware, or disrupting the machine.
The CVSS vector also marks the vulnerability as scope changed. That indicates successful exploitation could allow the attacker to cross a security boundary and affect resources governed by a different authorization context from the vulnerable component itself. Microsoft has not publicly documented the resulting privilege level, so administrators should not assume that every successful attempt necessarily grants SYSTEM access, even though the overall impact rating warrants treating the flaw as a serious local escalation path.
That timing dependency explains the “high” attack-complexity rating. An attacker would need to trigger operations in a particular order or within a narrow timing window to produce the unsafe state. Race conditions can require repeated attempts, careful control of processor scheduling, or manipulation of system load before exploitation becomes reliable.
High complexity reduces the probability of casual exploitation, but it does not make the flaw harmless. Attackers frequently combine local privilege-escalation vulnerabilities with phishing, malicious documents, compromised software packages, browser flaws, or stolen low-privilege credentials. Once an attacker has ordinary code execution, a vulnerability such as CVE-2026-44800 can become the second stage that breaks out of the original account’s restrictions.
Microsoft’s vendor confirmation gives the vulnerability’s existence a high degree of confidence. Confidence in the currently public technical details is narrower: the affected component, weakness classes, prerequisites, impact, and repaired build boundaries are known, but the vulnerable functions and exploitation mechanics have not been published.
There is also no public indication in the available Microsoft and NVD records that CVE-2026-44800 was being actively exploited when it was disclosed. It should therefore be prioritized as a confirmed, consequential vulnerability rather than treated as a known zero-day attack already circulating in the wild.
The repaired build thresholds provide a direct compliance check:
Windows Server 2025 receives KB5099536 and moves to build 26100.33158. Microsoft lists both the full desktop installation and Server Core as affected, so removing the graphical shell does not eliminate exposure.
The 26H1 boundary is unusual because build 28000.2269 was delivered with the June 9 update, KB5095051. Microsoft’s CVE data treats versions below that build as affected, meaning 26H1 devices already running the June security build or anything newer have crossed the published repair threshold.
Administrators should verify actual OS builds rather than relying solely on whether a device reports that Windows Update ran recently. A machine can remain vulnerable because an update was deferred, failed installation, was rolled back, or is pending a restart.
The build can be checked with
The appropriate response is to deploy the cumulative security update. Because Windows cumulative updates supersede earlier packages, installing a newer applicable cumulative update should also carry the fix forward.
Enterprise teams should prioritize systems where untrusted or semi-trusted users can run applications, including pooled virtual desktops, classrooms, kiosks with desktop access, build systems, jump hosts, and multi-user servers. Internet exposure is not the central risk factor here; the important question is how easily an attacker can obtain local code execution under a restricted identity.
Security teams should also view CVE-2026-44800 as part of an attack chain rather than in isolation. Endpoint telemetry showing suspicious child processes, token manipulation, unexpected service creation, security-tool tampering, or privileged processes launched after activity in a standard user session deserves investigation, although Microsoft has not published vulnerability-specific indicators of compromise.
For most Windows 11 PCs, the fix arrives through the mandatory July 2026 cumulative update. The immediate operational target is therefore concrete: confirm KB5099414 or KB5101650 on supported clients, KB5099536 on Windows Server 2025, and verify that every device has reached the corresponding repaired build rather than merely downloaded the package.
Microsoft rates the vulnerability Important, while its CVSS 3.1 base score of 7.8 places it in the high-severity range. The Microsoft Security Response Center describes the underlying defect as a race condition involving improperly synchronized access to a shared resource.
The vulnerability was disclosed through Microsoft’s July 2026 security release and subsequently entered into the National Vulnerability Database. Microsoft’s acknowledgment confirms that the flaw exists, but the publicly available technical information remains limited: there is no detailed attack sequence, proof-of-concept code, or description of the specific Windows Push Notifications object that becomes unsafe.
A Local Flaw With System-Level Consequences
CVE-2026-44800 is not a vulnerability that an unauthenticated attacker can exploit directly over the internet. Microsoft’s CVSS vector specifies local access and low privileges, meaning an attacker must first sign in, execute code, or otherwise establish a foothold on the Windows device.No user interaction is required once those conditions are met. That distinction matters on shared workstations, virtual desktop infrastructure, development machines, and servers where users or service accounts can execute untrusted code.
Microsoft assigns high potential impact to confidentiality, integrity, and availability. In practical terms, privilege escalation can turn an initially constrained compromise into one capable of reading protected information, modifying system resources, disabling security controls, installing persistent malware, or disrupting the machine.
The CVSS vector also marks the vulnerability as scope changed. That indicates successful exploitation could allow the attacker to cross a security boundary and affect resources governed by a different authorization context from the vulnerable component itself. Microsoft has not publicly documented the resulting privilege level, so administrators should not assume that every successful attempt necessarily grants SYSTEM access, even though the overall impact rating warrants treating the flaw as a serious local escalation path.
Winning the Race Is the Hard Part
The CVE record associates the flaw with both CWE-362, concurrent execution using a shared resource with improper synchronization, and CWE-416, use after free. Together, those classifications suggest that Windows Push Notifications may allow one execution path to use an object while another path changes or releases it.That timing dependency explains the “high” attack-complexity rating. An attacker would need to trigger operations in a particular order or within a narrow timing window to produce the unsafe state. Race conditions can require repeated attempts, careful control of processor scheduling, or manipulation of system load before exploitation becomes reliable.
High complexity reduces the probability of casual exploitation, but it does not make the flaw harmless. Attackers frequently combine local privilege-escalation vulnerabilities with phishing, malicious documents, compromised software packages, browser flaws, or stolen low-privilege credentials. Once an attacker has ordinary code execution, a vulnerability such as CVE-2026-44800 can become the second stage that breaks out of the original account’s restrictions.
Microsoft’s vendor confirmation gives the vulnerability’s existence a high degree of confidence. Confidence in the currently public technical details is narrower: the affected component, weakness classes, prerequisites, impact, and repaired build boundaries are known, but the vulnerable functions and exploitation mechanics have not been published.
There is also no public indication in the available Microsoft and NVD records that CVE-2026-44800 was being actively exploited when it was disclosed. It should therefore be prioritized as a confirmed, consequential vulnerability rather than treated as a known zero-day attack already circulating in the wild.
Supported Windows 11 Releases Need the New Builds
Microsoft’s affected-version data identifies Windows 11 versions 23H2, 24H2, 25H2, and 26H1, along with Windows Server 2025. Both x64 and Arm64 editions are affected where those architectures are supported.The repaired build thresholds provide a direct compliance check:
- Windows 11 version 23H2 should be updated to OS build 22631.7376 or later.
- Windows 11 version 24H2 should be updated to OS build 26100.8875 or later.
- Windows 11 version 25H2 should be updated to OS build 26200.8875 or later.
- Windows 11 version 26H1 is not affected when running OS build 28000.2269 or later.
- Windows Server 2025 should be updated to OS build 26100.33158 or later.
Windows Server 2025 receives KB5099536 and moves to build 26100.33158. Microsoft lists both the full desktop installation and Server Core as affected, so removing the graphical shell does not eliminate exposure.
The 26H1 boundary is unusual because build 28000.2269 was delivered with the June 9 update, KB5095051. Microsoft’s CVE data treats versions below that build as affected, meaning 26H1 devices already running the June security build or anything newer have crossed the published repair threshold.
Administrators should verify actual OS builds rather than relying solely on whether a device reports that Windows Update ran recently. A machine can remain vulnerable because an update was deferred, failed installation, was rolled back, or is pending a restart.
The build can be checked with
winver, through Settings under System and About, or at scale using PowerShell, Microsoft Intune, Configuration Manager, Windows Update for Business reports, or another endpoint-management platform.Patch Deployment Beats Component Workarounds
Microsoft has not documented a dedicated workaround or mitigation that safely disables only the vulnerable behavior. Attempts to turn off notification services could interfere with application alerts and Windows functionality without proving that the underlying privilege boundary is protected.The appropriate response is to deploy the cumulative security update. Because Windows cumulative updates supersede earlier packages, installing a newer applicable cumulative update should also carry the fix forward.
Enterprise teams should prioritize systems where untrusted or semi-trusted users can run applications, including pooled virtual desktops, classrooms, kiosks with desktop access, build systems, jump hosts, and multi-user servers. Internet exposure is not the central risk factor here; the important question is how easily an attacker can obtain local code execution under a restricted identity.
Security teams should also view CVE-2026-44800 as part of an attack chain rather than in isolation. Endpoint telemetry showing suspicious child processes, token manipulation, unexpected service creation, security-tool tampering, or privileged processes launched after activity in a standard user session deserves investigation, although Microsoft has not published vulnerability-specific indicators of compromise.
For most Windows 11 PCs, the fix arrives through the mandatory July 2026 cumulative update. The immediate operational target is therefore concrete: confirm KB5099414 or KB5101650 on supported clients, KB5099536 on Windows Server 2025, and verify that every device has reached the corresponding repaired build rather than merely downloaded the package.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com