CVE-2026-49162 Fixes Windows 11 Privilege Escalation

CVE-2026-49162 is a Windows local privilege-escalation vulnerability in Microsoft Brokering File System that can let an authenticated attacker gain higher privileges by triggering a use-after-free memory condition. Microsoft disclosed the flaw on July 14, 2026, and included the correction in security servicing for Windows 11 and Windows Server 2025.
Detailed in Microsoft’s Security Update Guide and the public CVE record, the vulnerability carries a CVSS 3.1 base score of 7.0 and is classified as CWE-416, use after free. It is not described as remotely exploitable: an attacker must already be authorized to run code locally on the target computer.
That prerequisite limits the initial attack path, but it does not make the vulnerability harmless. Privilege-escalation bugs are regularly used after phishing, credential theft, malicious software installation, or another exploit has provided an attacker with an ordinary Windows user foothold.

Cybersecurity dashboard depicts a hacker blocked by a firewall protecting Windows 11 and Server 2025 systems.The Flaw Sits Behind a Local Access Barrier​

A use-after-free vulnerability occurs when software continues to access memory after the object occupying that memory has been released. If an attacker can influence what replaces the freed object, the stale reference may be turned into memory corruption and, in some circumstances, controlled execution under the vulnerable component’s privileges.
Microsoft’s public description is narrow: a use-after-free issue in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. The advisory does not publish the affected function, a reproduction procedure, or the precise privilege level that successful exploitation would provide.
That lack of detail is normal on Patch Tuesday, particularly for vulnerabilities where additional technical guidance would help attackers reverse-engineer the fix. Microsoft has nevertheless marked the vulnerability as confirmed, meaning this is not a speculative weakness based solely on incomplete research.
The CVSS score reflects a meaningful distinction for defenders. CVE-2026-49162 is not an Internet-facing, unauthenticated route into Windows, and it does not eliminate the need for an initial foothold. It is instead a potential bridge from limited local access to control that the attacker should not possess.
That bridge is especially important on shared workstations, Windows Server systems accepting interactive sessions, development machines, virtual desktop infrastructure, and endpoints where users can execute untrusted tools. A standard account that is properly restricted is useful containment only while Windows reliably enforces the boundary around it.

Windows 11 and Server 2025 Are in the Affected Set​

The published CVE data identifies current Windows 11 branches and Windows Server 2025 as affected. Both x64 and Arm64 editions of the listed Windows 11 releases are covered, while the server exposure applies to x64 systems.
The affected product records include:
  • Windows 11 version 24H2 is affected on x64 and Arm64 systems before build 26100.8875.
  • Windows 11 version 25H2 is affected on x64 and Arm64 systems before build 26200.8875.
  • Windows 11 version 26H1 is listed as affected before build 28000.2269.
  • Windows Server 2025 is affected before build 26100.33158.
  • Windows Server 2025 Server Core installations are affected before build 26100.33158.
Administrators should treat the build thresholds as the more dependable compliance test rather than relying only on the product name displayed in Settings or an inventory dashboard. Windows cumulative updates advance the complete OS build, making winver, PowerShell inventory, Microsoft Intune, Windows Update for Business reports, Configuration Manager, or another endpoint-management platform suitable for checking deployment state.
The version 26H1 record deserves attention because Microsoft’s update records associate build 28000.2269 with KB5095051, released on June 9, 2026. The July 14 update, KB5101649, advances that branch to OS build 28000.2525. A 26H1 device already running either of those builds therefore meets or exceeds the affected-version boundary published for CVE-2026-49162.
For Windows 11 24H2, Windows 11 25H2, and Windows Server 2025, organizations should verify that July security servicing has advanced machines beyond the listed vulnerable builds. Merely seeing a successful update installation event is not sufficient if a device later rolled back, failed during reboot, or remains pending restart.

Local Privilege Escalation Changes the Patch Calculation​

The phrase authorized attacker can sound reassuring, but it describes the access needed to attempt exploitation rather than the attacker’s legitimacy. Malware running under a compromised standard account is authorized to make many local system calls even though the person controlling it is not an authorized operator.
CVE-2026-49162 therefore matters most as part of an exploit chain. An attacker might first gain execution through a malicious attachment, stolen remote-access credentials, a poisoned software package, or abuse of a legitimate administration tool. A privilege-escalation exploit can then help escape the restrictions attached to that initial user context.
Higher privileges can expand what follows. Depending on the security boundary crossed, an attacker may be able to interfere with services, access protected data, establish persistence, alter defensive settings, or steal credentials belonging to other users. Microsoft has not publicly stated that CVE-2026-49162 provides SYSTEM privileges, so administrators should not assume a specific post-exploitation result beyond the confirmed ability to elevate privileges.
The vulnerability’s local nature also means that perimeter controls are not the primary mitigation. Firewalls, web gateways, and exposed-service scans may reduce the likelihood of the first compromise, but they do not repair defective memory handling on an endpoint where code is already running.
Installing the corrected cumulative update is the direct remediation. Where immediate deployment is not possible, administrators can reduce opportunity by limiting interactive logons to servers, removing unnecessary local accounts, enforcing application control, and monitoring unexpected process execution from user-writable directories. Those measures constrain attack paths but do not replace Microsoft’s fix.

Patch Verification Matters More Than the Advisory’s Boilerplate​

The report-confidence text included in Microsoft’s advisory explains how CVSS temporal scoring distinguishes rumored or incomplete reports from vulnerabilities confirmed by reliable technical evidence. For CVE-2026-49162, Microsoft’s acknowledgement and published affected-version data establish that the vulnerability exists; the generic metric explanation is not itself evidence that exploit code has been released.
No public technical write-up or proof of concept was identified alongside the initial July 14 disclosure. That should be read as an absence of published detail at release time, not a guarantee that exploitation is impractical. Patch comparison can reveal useful information after cumulative updates become available, particularly to researchers examining changed Windows binaries.
Security teams should inventory vulnerable builds, deploy the July 2026 cumulative updates through their normal test rings, and confirm the resulting OS build after restart. Servers permitting Remote Desktop sessions, jump hosts, developer workstations, and machines used by multiple accounts warrant earlier placement in the rollout because they provide more plausible routes to local code execution.
CVE-2026-49162 does not present the same immediate exposure as an unauthenticated remote-code-execution flaw, but it weakens a boundary Windows environments depend on after an account or process has already been compromised. The practical deadline is the point at which exploit analysis catches up with Microsoft’s patch—not the point at which an organization first sees attacks in its own telemetry.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: tomshardware.com
 

Back
Top