CVE-2026-44806 exposes supported Windows clients and servers to a remotely triggered denial of service through Windows Secure Channel, with Microsoft shipping the fix in its July 14, 2026 security updates. The flaw requires no authentication or user interaction, making patch deployment the primary defense even though Microsoft scores it at a comparatively moderate CVSS 3.1 rating of 5.3.
Detailed in the Microsoft Security Response Center’s July advisory, the vulnerability stems from memory that Windows Cryptographic Services fails to release after its effective lifetime. An unauthorized attacker can exploit that resource-management error over a network, gradually or repeatedly impairing the availability of the affected component.
The National Vulnerability Database lists the underlying weakness as CWE-401, Missing Release of Memory after Effective Lifetime. Microsoft’s scoring indicates low attack complexity, network reachability and no prerequisite privileges, but only a limited availability impact rather than a complete system compromise.
That combination is important: CVE-2026-44806 is not a remote-code-execution flaw, and Microsoft reports no confidentiality or integrity impact. It is nevertheless a practical service-disruption risk for Windows systems that process attacker-controlled secure-channel traffic.
Microsoft assigned CVE-2026-44806 the vector
The score remains at 5.3 because successful exploitation affects availability only, with Microsoft rating that impact as low. The vulnerability does not provide direct access to protected information, allow data modification or cross a security boundary into another component.
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment marked exploitation as “none,” meaning there was no known active exploitation at the time of assessment. It also marked the flaw as automatable with partial technical impact, an assessment that fits a remotely reachable denial-of-service condition that could potentially be repeated across multiple targets.
Automatable does not mean exploited. It means the attack conditions appear suitable for reliable scanning or repeated delivery without substantial human effort once technical details or working exploit code become available. Administrators should therefore avoid treating the absence of current attacks as a reason to leave exposed systems unpatched indefinitely.
Microsoft’s report confidence is confirmed, reflecting vendor acknowledgement and sufficiently credible technical information. That confidence metric speaks to whether the vulnerability is real and understood; it does not predict how quickly attackers will weaponize it.
Microsoft’s CVE title identifies Windows Secure Channel, while the technical description refers more broadly to Windows Cryptographic Services. The practical reading is that malformed or repeated network activity reaches cryptographic processing that does not release memory correctly, eventually reducing service availability. Microsoft has not publicly documented the precise message sequence, resource-consumption rate or recovery behavior.
That missing detail limits any claim that one packet will crash an entire Windows machine. A denial-of-service result might instead involve progressive memory exhaustion, failure of a service handling secure connections, or degradation that becomes serious only after repeated requests.
Administrators should concentrate first on internet-facing Windows servers, reverse proxies, application servers and other systems terminating TLS through Windows components. Internal servers are not automatically safe, particularly where untrusted devices, guest networks or compromised endpoints can reach services that invoke Schannel.
The flaw also deserves attention on domain infrastructure and management servers even when they are not directly exposed to the internet. Availability attacks against authentication, administration or application dependencies can produce an outsized operational effect without giving the attacker code execution.
Network filtering remains useful for reducing unnecessary exposure, but Microsoft has not published a CVE-specific workaround that can substitute for the update. TLS traffic can also be difficult to inspect deeply once encrypted, making generic intrusion-prevention rules a less dependable answer than correcting the vulnerable code.
The corrected builds identified in Microsoft’s vulnerability data include:
Windows 11 version 23H2 is notably absent from the affected-product record published for CVE-2026-44806, even though it received the broader July cumulative update KB5099414. Administrators should follow Microsoft’s product-specific CVE applicability rather than assume every Windows release receiving updates contained this particular flaw.
Because the correction arrives through cumulative Windows servicing, organizations do not need to deploy a separate Schannel package. Installing the appropriate July 2026 cumulative or monthly rollup update brings the operating system to the fixed build.
The updates also enforce registration requirements for third-party Transport Driver Interface transports. Legacy software using sockets over an unregistered TDI transport may stop working after July 14 updates, giving administrators another compatibility point to test before broad server deployment.
Neither issue changes the need to remediate CVE-2026-44806. It does mean that enterprises should validate BitLocker recovery-key escrow, audit explicit PCR7 policy settings and test network-dependent legacy applications during the pilot ring rather than deploying blindly.
After installation, management platforms should verify the resulting OS build instead of relying solely on a successful update status. Scanners may initially lag behind Microsoft’s newly published applicability data, particularly because the NVD record was still undergoing enrichment shortly after disclosure.
CVE-2026-44806 is not the headline-grabbing class of Windows bug that immediately hands an attacker SYSTEM privileges. Its risk is narrower but operationally familiar: a network-reachable, unauthenticated resource-exhaustion condition in the Windows cryptographic stack. For systems accepting secure connections from untrusted networks, reaching Microsoft’s July 14 fixed builds is the concrete boundary between a confirmed denial-of-service exposure and the corrected implementation.
Detailed in the Microsoft Security Response Center’s July advisory, the vulnerability stems from memory that Windows Cryptographic Services fails to release after its effective lifetime. An unauthorized attacker can exploit that resource-management error over a network, gradually or repeatedly impairing the availability of the affected component.
The National Vulnerability Database lists the underlying weakness as CWE-401, Missing Release of Memory after Effective Lifetime. Microsoft’s scoring indicates low attack complexity, network reachability and no prerequisite privileges, but only a limited availability impact rather than a complete system compromise.
That combination is important: CVE-2026-44806 is not a remote-code-execution flaw, and Microsoft reports no confidentiality or integrity impact. It is nevertheless a practical service-disruption risk for Windows systems that process attacker-controlled secure-channel traffic.
A Medium Score Hides an Easy Attack Path
Microsoft assigned CVE-2026-44806 the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. In operational terms, an attacker can reach the vulnerable component across a network, does not need an account, faces no unusual exploitation conditions and does not need to persuade a user to open a file or visit a site.The score remains at 5.3 because successful exploitation affects availability only, with Microsoft rating that impact as low. The vulnerability does not provide direct access to protected information, allow data modification or cross a security boundary into another component.
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment marked exploitation as “none,” meaning there was no known active exploitation at the time of assessment. It also marked the flaw as automatable with partial technical impact, an assessment that fits a remotely reachable denial-of-service condition that could potentially be repeated across multiple targets.
Automatable does not mean exploited. It means the attack conditions appear suitable for reliable scanning or repeated delivery without substantial human effort once technical details or working exploit code become available. Administrators should therefore avoid treating the absence of current attacks as a reason to leave exposed systems unpatched indefinitely.
Microsoft’s report confidence is confirmed, reflecting vendor acknowledgement and sufficiently credible technical information. That confidence metric speaks to whether the vulnerability is real and understood; it does not predict how quickly attackers will weaponize it.
Secure Channel Makes Server Exposure the Priority
Windows Secure Channel, commonly called Schannel, is the Windows security support provider used for SSL and TLS communications. Windows applications and server roles can rely on it for encrypted sessions, certificate handling and protocol negotiation rather than implementing those functions independently.Microsoft’s CVE title identifies Windows Secure Channel, while the technical description refers more broadly to Windows Cryptographic Services. The practical reading is that malformed or repeated network activity reaches cryptographic processing that does not release memory correctly, eventually reducing service availability. Microsoft has not publicly documented the precise message sequence, resource-consumption rate or recovery behavior.
That missing detail limits any claim that one packet will crash an entire Windows machine. A denial-of-service result might instead involve progressive memory exhaustion, failure of a service handling secure connections, or degradation that becomes serious only after repeated requests.
Administrators should concentrate first on internet-facing Windows servers, reverse proxies, application servers and other systems terminating TLS through Windows components. Internal servers are not automatically safe, particularly where untrusted devices, guest networks or compromised endpoints can reach services that invoke Schannel.
The flaw also deserves attention on domain infrastructure and management servers even when they are not directly exposed to the internet. Availability attacks against authentication, administration or application dependencies can produce an outsized operational effect without giving the attacker code execution.
Network filtering remains useful for reducing unnecessary exposure, but Microsoft has not published a CVE-specific workaround that can substitute for the update. TLS traffic can also be difficult to inspect deeply once encrypted, making generic intrusion-prevention rules a less dependable answer than correcting the vulnerable code.
The Fix Spans Multiple Windows Generations
Microsoft’s affected-product data covers Windows 10, current Windows 11 releases and Windows Server versions extending back to Server 2012. Both full desktop installations and several Server Core variants are included.The corrected builds identified in Microsoft’s vulnerability data include:
- Windows 10 version 1607 and Windows Server 2016 are updated to build 14393.9339 through KB5099535.
- Windows 10 version 1809 and Windows Server 2019 are updated to build 17763.9020 through KB5099538.
- Windows 10 versions 21H2 and 22H2 are updated to builds 19044.7548 and 19045.7548 through KB5099539.
- Windows Server 2022 is updated to build 20348.5386 through KB5099540.
- Windows 11 versions 24H2 and 25H2 receive KB5101650, taking them to builds 26100.8875 and 26200.8875.
- Windows 11 version 26H1 receives KB5101649, taking it to build 28000.2525.
- Windows Server 2025 is fixed at build 26100.33158, while Server 2012 and Server 2012 R2 receive their respective Extended Security Update packages.
Windows 11 version 23H2 is notably absent from the affected-product record published for CVE-2026-44806, even though it received the broader July cumulative update KB5099414. Administrators should follow Microsoft’s product-specific CVE applicability rather than assume every Windows release receiving updates contained this particular flaw.
Because the correction arrives through cumulative Windows servicing, organizations do not need to deploy a separate Schannel package. Installing the appropriate July 2026 cumulative or monthly rollup update brings the operating system to the fixed build.
Patch Testing Has More Than One Risk to Measure
The July packages contain many changes beyond CVE-2026-44806, so normal staged deployment remains appropriate. Microsoft’s release notes flag a possible BitLocker recovery prompt on a limited number of managed systems with an unrecommended PCR7 Group Policy configuration, particularly where Secure Boot reports PCR7 Binding as “Not Possible.”The updates also enforce registration requirements for third-party Transport Driver Interface transports. Legacy software using sockets over an unregistered TDI transport may stop working after July 14 updates, giving administrators another compatibility point to test before broad server deployment.
Neither issue changes the need to remediate CVE-2026-44806. It does mean that enterprises should validate BitLocker recovery-key escrow, audit explicit PCR7 policy settings and test network-dependent legacy applications during the pilot ring rather than deploying blindly.
After installation, management platforms should verify the resulting OS build instead of relying solely on a successful update status. Scanners may initially lag behind Microsoft’s newly published applicability data, particularly because the NVD record was still undergoing enrichment shortly after disclosure.
CVE-2026-44806 is not the headline-grabbing class of Windows bug that immediately hands an attacker SYSTEM privileges. Its risk is narrower but operationally familiar: a network-reachable, unauthenticated resource-exhaustion condition in the Windows cryptographic stack. For systems accepting secure connections from untrusted networks, reaching Microsoft’s July 14 fixed builds is the concrete boundary between a confirmed denial-of-service exposure and the corrected implementation.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com