CVE-2026-49167 Fixed in Windows July 14, 2026 Updates

CVE-2026-49167, a Windows Kernel elevation-of-privilege vulnerability caused by a use-after-free memory error, is fixed in Microsoft’s July 14, 2026 security updates. The flaw requires an attacker to already have authorized local access, but successful exploitation could raise that attacker’s privileges and deepen a compromise on affected Windows clients and servers.
Microsoft classifies CVE-2026-49167 as Important, while the CVE data assigns it a CVSS 3.1 base score of 4.7. The Microsoft Security Response Center describes the weakness as a local privilege-escalation path in the Windows kernel, and the associated record maps it to CWE-416, the industry classification for use-after-free vulnerabilities.
The issue was released as part of an unusually large July Patch Tuesday containing hundreds of Microsoft fixes. BleepingComputer’s review of the release places CVE-2026-49167 among a substantial group of Windows kernel vulnerabilities addressed this month rather than among the three zero-days highlighted in the broader update.

Cybersecurity operations center featuring glowing shields, servers, threat analysis, and encrypted data protection.Local Access Keeps the Score Down, Not the Consequence​

CVE-2026-49167 is not a vulnerability that an unauthenticated attacker can directly trigger across the internet. Microsoft’s description says exploitation requires an authorized attacker to act locally, placing the flaw later in a typical attack chain.
That distinction explains the relatively modest CVSS score. An attacker must first obtain a foothold through stolen credentials, malicious software, another vulnerability, physical access, or abuse of an existing account. CVE-2026-49167 could then reportedly be used to escape the restrictions attached to that account.
This is precisely why kernel privilege-escalation bugs remain relevant to enterprise defenders even when their scores fall below the headline-grabbing 7.8 or 9.8 range. Initial access and privilege escalation are frequently separate steps: phishing or an exposed service gets an intruder onto a machine, while a kernel flaw helps turn that limited access into control over the system.
The publicly available description does not detail which kernel object is mishandled, how the freed memory is reused, or the exact privilege level an exploit would obtain. Microsoft has also not published exploit code or reproduction instructions. Administrators should therefore avoid treating “use after free” as a complete technical analysis; it identifies the bug class, not a documented exploitation recipe.
A use-after-free condition occurs when software continues to reference memory after that memory has been released. If an attacker can influence what occupies the freed region, the stale reference may be redirected toward attacker-controlled data, potentially altering kernel execution or protected state. Exploiting such conditions reliably can be difficult because memory timing and layout matter, which is consistent with the lower score assigned to this vulnerability.

The Report Confidence Text Is Not an Exploitation Warning​

The “report confidence” passage displayed in the Security Update Guide is generic explanatory text from the Common Vulnerability Scoring System. It explains what the metric measures across vulnerabilities; it does not, by itself, mean exploit code for CVE-2026-49167 is public or that attacks have been observed.
This distinction matters because the wording mentions functional exploits, source code, technical research, and vendor confirmation as examples of evidence that can raise confidence. Those examples describe the scoring framework rather than the current threat intelligence surrounding this specific Windows flaw.
Microsoft’s publication of the vulnerability and an official update confirms that the defect exists and has been addressed. However, the initial advisory does not provide evidence that CVE-2026-49167 was publicly disclosed before the patch or exploited in the wild. It should not be labeled a zero-day without a subsequent change to Microsoft’s exploitation assessment or corroborating threat reporting.
The absence of known exploitation is useful for prioritization, but it is not a reason to leave the update pending indefinitely. Kernel vulnerabilities often become easier to investigate after patches are released because researchers and attackers can compare updated and vulnerable binaries. That patch-diffing window can gradually turn a sparse advisory into actionable technical knowledge.

July Updates Move Supported Systems Past the Vulnerable Builds​

CVE-2026-49167 affects a broad collection of Windows releases, including Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Both x64 and ARM64 Windows 11 systems appear in the affected-product data, while applicable 32-bit Windows 10 installations are also included.
For the most common supported platforms, the July updates move systems to these builds:
  • Windows 11 25H2 and 24H2 receive KB5101650, reaching builds 26200.8875 and 26100.8875 respectively.
  • Windows 10 22H2 and 21H2 receive KB5099539, reaching builds 19045.7548 and 19044.7548.
  • Windows Server 2022 receives KB5099540, reaching build 20348.5386.
  • Windows Server 2019 must be updated to build 17763.9020 or later.
  • Windows Server 2025 must be updated to build 26100.33158 or later.
Windows 10 deserves particular attention because most version 22H2 installations passed the end of free support on October 14, 2025. Devices need an applicable Extended Security Updates entitlement or another supported servicing path to receive the July 2026 security fixes. Simply clicking “Check for updates” on an unsupported, unenrolled Windows 10 PC does not guarantee protection.
Administrators should verify deployment by checking the installed cumulative update and resulting OS build, rather than relying only on a successful synchronization in WSUS, Microsoft Configuration Manager, or another patch-management console. On individual systems, winver, the Settings update history, and PowerShell’s installed-package data provide quick confirmation.
Microsoft says it is not currently aware of issues with KB5101650 on Windows 11. The Windows Server 2022 release notes do document a possible BitLocker recovery prompt on a limited set of systems using an unrecommended Group Policy configuration, so server teams should validate recovery-key access before broad deployment. That operational concern may justify a staged rollout, but it does not remove the need to patch.

Prioritize Shared and High-Value Windows Hosts​

CVE-2026-49167 should be handled as a standard but meaningful local escalation issue. Internet-facing exposure is not the determining factor because exploitation occurs after access has already been obtained. Multi-user servers, jump hosts, virtual desktop infrastructure, developer workstations, help-desk systems, and machines used by privileged administrators carry the clearest downstream risk.
Security teams should also monitor endpoint telemetry for unusual processes interacting with kernel interfaces, unexplained transitions from standard-user activity to SYSTEM-level execution, and suspicious post-compromise tooling. Those signals are not unique to CVE-2026-49167, but they can expose the broader attack chain in which a local kernel exploit would be useful.
The practical fix is the July 14 cumulative update, not a registry workaround or service shutdown. With little public technical detail available, compensating controls cannot reliably neutralize the faulty kernel behavior. Deploy the appropriate cumulative update, confirm the new build on every managed endpoint, and keep CVE-2026-49167 in detection and vulnerability-management searches in case Microsoft later changes its exploitation assessment.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
  3. Related coverage: tomshardware.com
 

Back
Top