CVE-2026-49800: Install July Updates to Fix Windows WPAD Elevation

CVE-2026-49800 exposes supported Windows clients and servers to a local privilege-escalation attack through the Web Proxy Auto-Discovery Protocol, with Microsoft assigning the flaw a CVSS 3.1 score of 7.8 High. The fix shipped in Microsoft’s July 14, 2026 security updates, and administrators should treat the resulting Windows build numbers as the clearest deployment check.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the vulnerability stems from an integer overflow or wraparound in Windows WPAD processing. An attacker must already have low-privilege access to the target, but successful exploitation could provide elevated control without requiring another user to open a file, follow a link, or approve a prompt.
The National Vulnerability Database lists no observed exploitation as of July 14. That lowers the immediate emergency level compared with an actively exploited zero-day, but the potential impact is substantial: Microsoft’s CVSS vector assigns High ratings to confidentiality, integrity, and availability.

Cybersecurity diagram shows a PAC file vulnerability patched, blocking privilege escalation across an enterprise network.A Local Flaw With System-Level Consequences​

Microsoft describes CVE-2026-49800 as an elevation-of-privilege vulnerability that an authorized attacker can exploit locally. In practical terms, this is not a drive-by attack against an untouched Windows PC over the internet. The attacker needs an existing foothold and low-level privileges on the machine before attempting to trigger the vulnerable WPAD code path.
That prerequisite matters, but it does not make the bug harmless. Privilege-escalation vulnerabilities are commonly used after phishing, malicious downloads, stolen credentials, or exploitation of a separate remote-access flaw. Initial access gets an attacker onto the endpoint; elevation of privilege can then help break out of a restricted account, tamper with security controls, access protected data, or establish deeper persistence.
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It indicates a local attack vector, low attack complexity, low privileges required, and no user interaction. The scope remains unchanged, but a successful attack can have a high impact across all three primary security categories.
CISA’s vulnerability record classified the exploitation status as “none” when the CVE was published and assessed the attack as not readily automatable. It nevertheless rated the potential technical impact as total. That combination describes a vulnerability that may be less useful for indiscriminate mass exploitation but potentially serious when incorporated into a targeted intrusion or a multi-stage attack chain.
Microsoft’s report-confidence metric is Confirmed, meaning the vendor has acknowledged the vulnerability and considers the available technical evidence sufficient to establish that it exists. That metric is not a prediction that exploitation is imminent; it distinguishes a verified defect from an early or uncertain report.

WPAD Remains Buried in Windows Networking​

WPAD enables Windows to discover a Proxy Auto-Config, or PAC, file from the local network. The operating system can use DHCP or DNS-based discovery to locate proxy configuration automatically, sparing administrators from entering proxy settings manually on every endpoint.
Microsoft documents WPAD as part of both Windows proxy management and the WinHTTP stack used by applications and services. The relevant Windows component includes the WinHTTP Web Proxy Auto-Discovery Service, displayed as WinHttpAutoProxySvc in service-management and diagnostic tools.
CVE-2026-49800 is tied to memory-safety failures rather than merely an unsafe network configuration. The NVD record associates it with both CWE-190, Integer Overflow or Wraparound, and CWE-122, Heap-Based Buffer Overflow. An incorrect arithmetic operation can produce a buffer size or memory boundary that does not match the data subsequently handled, creating the conditions for memory corruption.
Microsoft has not publicly provided enough exploit-level detail to determine precisely how an attacker reaches the vulnerable operation or what additional constraints may apply. Administrators should therefore avoid assuming that disabling a visible “Automatically detect settings” toggle completely eliminates exposure. WinHTTP, WinINet, user settings, services, and applications can interact with proxy discovery through different paths.
WPAD also has a long security history. Microsoft addressed earlier WPAD privilege-escalation and proxy-discovery problems in security bulletin MS16-077 in June 2016. Those older vulnerabilities involved Windows’ handling of proxy discovery and network name-resolution scenarios; CVE-2026-49800 is a separate 2026 memory-corruption issue, not a reissue of the decade-old bugs.

The Patched Builds Define the Baseline​

The CVE record identifies Windows 10, Windows 11, and Windows Server releases as affected. Systems running builds below the July 2026 thresholds remain vulnerable:
  • Windows 10 version 1809 and Windows Server 2019 must reach build 17763.9020.
  • Windows 10 versions 21H2 and 22H2 must reach builds 19044.7548 and 19045.7548, respectively.
  • Windows 11 versions 24H2 and 25H2 must reach build 26100.8875 or 26200.8875.
  • Windows 11 version 26H1 must reach build 28000.2269.
  • Windows Server 2022 must reach build 20348.5386.
  • Windows Server 2025 must reach build 26100.33158.
The affected list includes x64 and ARM64 Windows 11 systems, along with the applicable 32-bit, x64, and ARM64 editions of Windows 10. Both full and Server Core installations of Windows Server 2019 and Windows Server 2025 are covered.
Administrators can check the installed OS build with winver, Get-ComputerInfo, or their endpoint-management inventory. Windows Update, Windows Server Update Services, Microsoft Configuration Manager, and Windows Autopatch should report the July cumulative update, but validating the resulting build provides an additional guard against supersedence, detection, and reporting mistakes.
Because the repair is delivered through cumulative Windows servicing, organizations do not need to locate a standalone WPAD hotfix. The July cumulative update moves the operating system beyond the vulnerable build threshold while also addressing the other Windows security defects included in the monthly release.
Testing remains appropriate for proxy-dependent estates. Devices that rely on PAC files, transparent proxy infrastructure, authenticated outbound gateways, VPN clients, or security agents that modify WinHTTP settings deserve particular attention during pilot deployment. The vulnerability itself is an argument for speed, but a broken proxy path can also disconnect management agents and interfere with update delivery.

Disabling WPAD Is Defense in Depth, Not the Patch​

Organizations that do not use automatic proxy discovery can reduce attack surface by disabling WPAD. Microsoft documents a DisableWpad DWORD under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Setting that value to 1 disables WPAD detection for proxy-discovery calls made through WinHTTP. Microsoft warns that proxies must then be configured manually, and that the registry setting does not prevent every application from independently resolving the WPAD hostname through DNS.
That distinction is important for enterprise change control. Disabling the WinHTTP discovery path does not necessarily govern third-party browsers, applications using different networking APIs, or software with its own PAC discovery implementation. Microsoft’s documentation recommends addressing both the Windows settings interface and the relevant system configuration when an organization intends to remove WPAD comprehensively.
Administrators should also verify that disabling discovery does not strand services that run outside the logged-in user’s proxy context. Backup agents, activation services, endpoint security products, package managers, and Windows management components can behave differently from interactive browsers when proxy settings change.
For most environments, installing the July 2026 cumulative update is the primary remediation. Disabling unused WPAD functionality is a supplementary hardening measure, not a substitute for correcting the underlying integer-overflow and heap-buffer condition.
CVE-2026-49800 was not known to be under active attack when Microsoft published it on July 14, 2026. The operational priority is therefore straightforward: move supported Windows systems to the patched build, verify servers and endpoints that depend on automatic proxy configuration, and investigate any device that remains below its release-specific build threshold after the July deployment window.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top