CVE-2026-49799 exposes Windows Local Security Authority Subsystem Service, better known as LSASS, to a network-based denial-of-service attack by an authenticated user. Microsoft fixed the vulnerability in the July 14, 2026 security updates, covering Windows 10, Windows 11, and Windows Server releases from Server 2012 through Server 2025.
Detailed in Microsoft’s Security Update Guide, the flaw is rated Important with a CVSS 3.1 base score of 6.5. Microsoft describes the underlying weakness as uncontrolled resource consumption: a low-privileged attacker can send traffic that consumes enough LSASS resources to disrupt service without requiring interaction from the targeted user.
The vulnerability was not publicly disclosed or known to be exploited when Microsoft published the advisory. Zero Day Initiative’s July security review likewise lists CVE-2026-49799 as neither public nor exploited, placing it below the month’s actively abused vulnerabilities but still firmly inside the normal enterprise patching queue.
The CVSS vector for CVE-2026-49799 is
The need for authorization is an important boundary. This is not an unauthenticated internet attack that any remote host can immediately launch against an exposed Windows machine. An attacker must first obtain valid access or operate through an already compromised account, service, or system.
That prerequisite does not make the vulnerability harmless. Credential theft, password reuse, compromised service accounts, malicious insiders, and footholds established through another vulnerability can all provide the privileges needed to reach a second-stage denial-of-service condition.
Microsoft assigns no confidentiality or integrity impact to the bug. CVE-2026-49799 is not documented as exposing credentials, changing security policy, or granting elevated access; its stated impact is availability. The concern is what stops working when LSASS can no longer process security operations normally.
The flaw is categorized as CWE-400, uncontrolled resource consumption. Microsoft has not published detailed packet structures, reproduction instructions, or root-cause analysis, limiting the technical information immediately available to prospective attackers as well as defenders.
That limited disclosure raises confidence in the vulnerability’s existence because Microsoft has acknowledged and patched it, while keeping exploit development less straightforward than it would be with public proof-of-concept code. Administrators should nevertheless watch for later technical research that identifies the affected protocol or provides reliable reproduction steps.
Windows also treats
On a workstation, that can interrupt the active session and any unsaved work. On a member server, the result can be lost availability for applications and users. On a domain controller, disruption to LSASS carries a wider operational risk because the machine may stop servicing authentication requests until it recovers.
Active Directory redundancy should prevent a single domain controller from becoming the only authentication path, but real deployments are rarely perfectly balanced. Sites may depend on a local domain controller because of WAN constraints, applications may be pinned to particular servers, and maintenance windows can temporarily reduce the number of available replicas.
An attacker able to repeat the resource-exhaustion sequence could potentially turn a recoverable crash into recurring disruption. Microsoft’s public description does not specify whether exploitation is immediately repeatable, how quickly resources are exhausted, or whether environmental limits change the result, so those details should not be assumed.
The security boundary therefore matters less than the operational role of the target. A low-privileged account causing a restart on an employee laptop is disruptive; the same account affecting a domain controller, remote-access server, or authentication-dependent application tier can have consequences well beyond that machine.
The server footprint is equally broad. Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025 are listed, including applicable Server Core installations. Older releases require the appropriate support or Extended Security Updates entitlement to receive July’s fixes.
Administrators can use the corrected build levels as a direct compliance check:
Because Windows cumulative updates replace earlier fixes, administrators do not need a standalone CVE-2026-49799 installer. Deploying the applicable July 2026 update—or a later cumulative update that supersedes it—brings the LSASS correction onto the system.
Build verification remains preferable to checking only whether an update deployment job reports success. Devices can appear compliant in management dashboards despite pending restarts, installation rollbacks, servicing-stack failures, or update applicability errors.
Domain controllers, identity-connected servers, VPN systems, Remote Desktop hosts, and machines accessible to large groups of authenticated users should receive priority. Systems with tightly restricted access and effective network segmentation can follow once higher-impact roles have cleared compatibility testing.
Security teams should also review telemetry for unusual LSASS resource growth, unexpected system restarts, and repeated authentication-service failures. Those symptoms are not unique to this CVE—LSASS problems can also result from faulty updates, directory issues, security software, or ordinary resource pressure—but repeated events tied to the same remote account or source host deserve investigation.
There is no Microsoft-documented workaround that offers the same protection as installing the update. Blocking unnecessary inbound access, limiting account privileges, segmenting administrative networks, and reducing service-account exposure can constrain attack paths, but those controls do not correct the resource-consumption flaw.
The immediate task is consequently conventional but important: test the July 14 updates, patch domain controllers and other authentication-sensitive systems, restart where required, and confirm the resulting OS builds. CVE-2026-49799 may lack the spectacle of remote code execution, but a reliable way to knock LSASS—and potentially the Windows host beneath it—out of service is exactly the sort of authenticated attack that becomes more dangerous after an intruder has already gained a foothold.
Detailed in Microsoft’s Security Update Guide, the flaw is rated Important with a CVSS 3.1 base score of 6.5. Microsoft describes the underlying weakness as uncontrolled resource consumption: a low-privileged attacker can send traffic that consumes enough LSASS resources to disrupt service without requiring interaction from the targeted user.
The vulnerability was not publicly disclosed or known to be exploited when Microsoft published the advisory. Zero Day Initiative’s July security review likewise lists CVE-2026-49799 as neither public nor exploited, placing it below the month’s actively abused vulnerabilities but still firmly inside the normal enterprise patching queue.
An Authenticated Attack Still Reaches Across the Network
The CVSS vector for CVE-2026-49799 is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. In practical terms, exploitation can cross a network, requires low privileges, is considered technically straightforward, and does not depend on somebody opening a file or clicking a link.The need for authorization is an important boundary. This is not an unauthenticated internet attack that any remote host can immediately launch against an exposed Windows machine. An attacker must first obtain valid access or operate through an already compromised account, service, or system.
That prerequisite does not make the vulnerability harmless. Credential theft, password reuse, compromised service accounts, malicious insiders, and footholds established through another vulnerability can all provide the privileges needed to reach a second-stage denial-of-service condition.
Microsoft assigns no confidentiality or integrity impact to the bug. CVE-2026-49799 is not documented as exposing credentials, changing security policy, or granting elevated access; its stated impact is availability. The concern is what stops working when LSASS can no longer process security operations normally.
The flaw is categorized as CWE-400, uncontrolled resource consumption. Microsoft has not published detailed packet structures, reproduction instructions, or root-cause analysis, limiting the technical information immediately available to prospective attackers as well as defenders.
That limited disclosure raises confidence in the vulnerability’s existence because Microsoft has acknowledged and patched it, while keeping exploit development less straightforward than it would be with public proof-of-concept code. Administrators should nevertheless watch for later technical research that identifies the affected protocol or provides reliable reproduction steps.
An LSASS Failure Is More Than a Crashed Background Service
LSASS is central to Windows authentication and security-policy enforcement. It participates in user logons, validates credentials, creates access tokens, and supports authentication technologies used across standalone PCs, member servers, and Active Directory environments.Windows also treats
lsass.exe as a critical system process. A serious LSASS failure can force Windows to restart rather than simply allowing an administrator to restart the service like an ordinary application component.On a workstation, that can interrupt the active session and any unsaved work. On a member server, the result can be lost availability for applications and users. On a domain controller, disruption to LSASS carries a wider operational risk because the machine may stop servicing authentication requests until it recovers.
Active Directory redundancy should prevent a single domain controller from becoming the only authentication path, but real deployments are rarely perfectly balanced. Sites may depend on a local domain controller because of WAN constraints, applications may be pinned to particular servers, and maintenance windows can temporarily reduce the number of available replicas.
An attacker able to repeat the resource-exhaustion sequence could potentially turn a recoverable crash into recurring disruption. Microsoft’s public description does not specify whether exploitation is immediately repeatable, how quickly resources are exhausted, or whether environmental limits change the result, so those details should not be assumed.
The security boundary therefore matters less than the operational role of the target. A low-privileged account causing a restart on an employee laptop is disruptive; the same account affecting a domain controller, remote-access server, or authentication-dependent application tier can have consequences well beyond that machine.
The Fix Spans Current and Legacy Windows Fleets
Microsoft’s affected-product data reaches across several Windows generations. It includes Windows 11 versions 24H2, 25H2, and 26H1, along with Windows 10 versions still receiving applicable servicing, including 1607, 1809, 21H2, and 22H2.The server footprint is equally broad. Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025 are listed, including applicable Server Core installations. Older releases require the appropriate support or Extended Security Updates entitlement to receive July’s fixes.
Administrators can use the corrected build levels as a direct compliance check:
- Windows 11 24H2 is corrected at build 26100.8875 or later.
- Windows 11 25H2 is corrected at build 26200.8875 or later.
- Windows 11 26H1 is corrected at build 28000.2269 or later.
- Windows Server 2022 is corrected at build 20348.5386 or later.
- Windows Server 2025 is corrected at build 26100.33158 or later.
- Windows Server 2019 is corrected at build 17763.9020 or later.
- Windows Server 2016 is corrected at build 14393.9339 or later.
Because Windows cumulative updates replace earlier fixes, administrators do not need a standalone CVE-2026-49799 installer. Deploying the applicable July 2026 update—or a later cumulative update that supersedes it—brings the LSASS correction onto the system.
Build verification remains preferable to checking only whether an update deployment job reports success. Devices can appear compliant in management dashboards despite pending restarts, installation rollbacks, servicing-stack failures, or update applicability errors.
Domain Controllers Belong Near the Front of the Queue
CVE-2026-49799 is not one of July’s zero-days, and Microsoft’s available assessment does not indicate active exploitation. That supports controlled testing rather than emergency shutdowns or improvised network changes, but it does not justify leaving authentication infrastructure exposed for an extended period.Domain controllers, identity-connected servers, VPN systems, Remote Desktop hosts, and machines accessible to large groups of authenticated users should receive priority. Systems with tightly restricted access and effective network segmentation can follow once higher-impact roles have cleared compatibility testing.
Security teams should also review telemetry for unusual LSASS resource growth, unexpected system restarts, and repeated authentication-service failures. Those symptoms are not unique to this CVE—LSASS problems can also result from faulty updates, directory issues, security software, or ordinary resource pressure—but repeated events tied to the same remote account or source host deserve investigation.
There is no Microsoft-documented workaround that offers the same protection as installing the update. Blocking unnecessary inbound access, limiting account privileges, segmenting administrative networks, and reducing service-account exposure can constrain attack paths, but those controls do not correct the resource-consumption flaw.
The immediate task is consequently conventional but important: test the July 14 updates, patch domain controllers and other authentication-sensitive systems, restart where required, and confirm the resulting OS builds. CVE-2026-49799 may lack the spectacle of remote code execution, but a reliable way to knock LSASS—and potentially the Windows host beneath it—out of service is exactly the sort of authenticated attack that becomes more dangerous after an intruder has already gained a foothold.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: microsoft.com
Active attack: Dirty Frag Linux vulnerability expands post-compromise risk | Microsoft Security Blog
Dirty Frag is a newly disclosed Linux local privilege escalation vulnerability affecting kernel networking and memory-fragment handling components including esp4, esp6, and rxrpc. The vulnerability enables reliable escalation from an unprivileged user to root and may be leveraged after initial...www.microsoft.com - Official source: support.microsoft.com
April 2026 Windows security updates introduce protections to known vulnerable kernel drivers | Microsoft Support
April 2026 Windows security updates introduce protections to known vulnerable kernel driverssupport.microsoft.com - Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com