CVE-2026-49784: Patch Windows App Store Privilege Escalation

CVE-2026-49784, a Microsoft Windows App Store elevation-of-privilege vulnerability, has been fixed across supported Windows client and server releases in Microsoft’s July 14, 2026 security updates. The flaw carries a CVSS 3.1 score of 7.0 and could let an attacker who already has local access raise their privileges by exploiting a race condition in the Store component.
Microsoft describes the issue as concurrent access to a shared resource without proper synchronization. The CVE record also maps it to CWE-362, the general category for race conditions, and CWE-416, which covers use-after-free memory errors.
Detailed in Microsoft’s Security Update Guide and published with the July 2026 Patch Tuesday release, the advisory identifies Windows 10, Windows 11, and Windows Server installations as affected. Administrators should deploy the corresponding cumulative security update rather than looking for a separate Microsoft Store package.

Cybersecurity operations scene with Windows screens, warning shield, server racks, and network monitoring graphics.A Local Foothold Is Required, but the Payoff Is Powerful​

CVE-2026-49784 is not described as a drive-by or remotely exploitable vulnerability. Microsoft says an authorized attacker must exploit it locally, meaning the attacker needs some ability to sign in or execute code on the target before attempting privilege escalation.
That requirement limits the initial attack surface, but it does not make the vulnerability harmless. Local elevation-of-privilege flaws are commonly used after phishing, malicious downloads, credential theft, or exploitation of another application has delivered an initial foothold.
Successful exploitation could move an attacker beyond the permissions assigned to the compromised account. Depending on the resulting security context, that could open access to protected files, security settings, services, credentials, and other users’ data.
The vulnerability’s CVSS score reflects this distinction. A 7.0 rating is below the threshold normally associated with remotely exploitable critical flaws, but it still represents a substantial risk on shared workstations, application servers, virtual desktop infrastructure, and systems where users run untrusted software.
The race-condition classification also matters. Rather than relying on a straightforward permissions mistake, an attacker would attempt to manipulate the timing of operations involving a shared resource. The associated use-after-free category indicates that memory could be referenced after it has been released, potentially creating an opportunity to alter execution or cross a privilege boundary.
Such timing dependencies can make exploitation less reliable than a simple logic bug. They can also complicate detection because a failed attempt may resemble an application crash or transient Store error instead of an obvious security event.

The Affected List Reaches Beyond Consumer PCs​

Despite the “Windows App Store” product name, Microsoft lists a broad range of operating systems, including server editions and Server Core installations. That makes CVE-2026-49784 relevant to enterprise patching programs even where administrators believe the Microsoft Store has been disabled or is not routinely used.
The affected releases and corrected build boundaries include:
  • Windows 10 version 1607 is affected before build 14393.9339.
  • Windows 10 version 1809 is affected before build 17763.9020.
  • Windows 10 version 21H2 is affected before build 19044.7548.
  • Windows 10 version 22H2 is affected before build 19045.7548.
  • Windows 11 version 24H2 is affected before build 26100.8875.
  • Windows 11 version 25H2 is affected before build 26200.8875.
  • Windows 11 version 26H1 is affected before build 28000.2269.
  • Windows Server 2016 is affected before build 14393.9339.
  • Windows Server 2019 is affected before build 17763.9020.
  • Windows Server 2022 is affected before build 20348.5386.
  • Windows Server 2025 is affected before build 26100.33158.
The Windows Server 2016, Windows Server 2019, and Windows Server 2025 entries explicitly include Server Core installations. Both x64 and ARM64 systems appear in the affected Windows 11 entries, while older Windows 10 releases also include 32-bit systems where supported.
Some vulnerability feeds initially presented confusing product labels when translating Microsoft’s affected-platform data. The underlying Microsoft-authored CVE record is clearer: the server entries correspond to Windows Server 2016, 2019, 2022, and 2025, not Windows Server 2008.
The breadth of that list is a reminder that Windows components can remain present as servicing dependencies even when their visible user interface is unavailable. Removing Store shortcuts, blocking application installation through policy, or operating Server Core should not be treated as a substitute for installing the security update.

Build Numbers Offer the Fastest Verification​

Administrators can verify remediation by comparing the installed OS build with Microsoft’s corrected build boundary. Running winver is sufficient for an individual workstation, while PowerShell, Microsoft Configuration Manager, Windows Update for Business reports, Intune, or another endpoint-management platform will be more practical across a fleet.
For example, a Windows 11 24H2 device below build 26100.8875 remains in the affected range. Windows 11 25H2 should reach build 26200.8875 or later, while Windows Server 2025 should reach build 26100.33158 or later.
Those numbers should be assessed alongside edition, servicing channel, and architecture. A device reporting a lower build is not protected merely because Microsoft Store applications have automatic updates enabled: this CVE is addressed through the operating system’s security servicing process.
Organizations testing July’s cumulative updates should prioritize systems where local code execution is comparatively easy or where privilege boundaries carry particular importance. Multiuser endpoints, developer workstations, jump boxes, Windows 365 and Azure Virtual Desktop hosts, and machines processing untrusted packages are natural candidates for accelerated deployment.
Security teams should also watch for unexplained crashes or abnormal activity involving Store-related processes. Microsoft has not supplied public exploit code or detailed indicators of compromise in the available advisory, so behavioral monitoring will be more useful than searching for a single published filename or command line.

Confidence Is High Even Though Exploit Detail Is Limited​

The vulnerability information originates with Microsoft, the vendor responsible for the affected component, and is incorporated into the formal CVE record. That provides strong confidence that the underlying defect exists and that the listed Windows updates correct it.
Public technical detail remains deliberately limited. Microsoft identifies the vulnerability classes, local attack requirement, affected products, and security impact, but does not publish the vulnerable function, a proof of concept, or a step-by-step exploitation path.
That difference is important when judging urgency. The vulnerability is confirmed rather than speculative, but the available information does not hand attackers a complete recipe. A race condition may further increase the engineering work required to produce a dependable exploit.
Defenders should not assume the absence of public detail will last. Patch comparison can reveal changes in updated binaries, and attackers routinely reverse-engineer Microsoft fixes after Patch Tuesday to understand the corrected code path.
CVE-2026-49784 therefore belongs in the normal July 2026 cumulative-update rollout, with faster handling on systems exposed to untrusted local users or code. The concrete completion criterion is straightforward: ensure each affected machine has reached its corrected July build or a later cumulative build, including Windows Server installations where the Store itself appears to play no operational role.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top