Microsoft’s July 2026 security updates fix CVE-2026-49801, a Windows SMB information-disclosure vulnerability that can allow a signed-in attacker to obtain sensitive data from local system memory. The flaw affects multiple generations of Windows 10, Windows 11, and Windows Server, making the cumulative updates released on July 14 the practical remedy for most installations.
Microsoft describes the underlying weakness as the use of an uninitialized resource in Windows Server Message Block. The company assigned the vulnerability a CVSS 3.1 score of 5.5 and a Medium severity rating, while Patch Tuesday coverage from BleepingComputer lists it among Microsoft’s Important-rated Windows flaws.
This is not another SMBGhost or EternalBlue-style unauthenticated network compromise. Microsoft’s scoring says an attacker requires local access and low-level privileges, but no user interaction; a successful exploit can have a high confidentiality impact without directly changing data or disrupting system availability.
The CVSS vector for CVE-2026-49801 is
That distinction should shape how administrators prioritize the update. The vulnerability is unlikely to provide an attacker’s initial route into an organization, but it may be useful after an account or endpoint has already been compromised. Information exposed from uninitialized memory could potentially assist reconnaissance, credential theft, privilege escalation, or another stage of an attack, although Microsoft has not publicly described the exact data that can be recovered.
An uninitialized resource flaw occurs when software allocates or reuses a resource without properly establishing its contents or state before making it available. If the resource still contains residual information, another process or user may be able to observe data that was not intended for them.
The vulnerability is cataloged as CWE-908, Use of Uninitialized Resource. Microsoft has not published proof-of-concept code, a detailed description of the affected SMB operation, or instructions for reproducing the disclosure. Administrators should therefore avoid assuming that familiar SMB controls, such as blocking TCP port 445 at the perimeter, fully mitigate a flaw whose attack vector is explicitly local.
The corrected build thresholds recorded for current Windows 11 branches include:
Those version ranges do not mean every consumer installation will receive a standalone update under ordinary public support. Some listed releases survive only in Long-Term Servicing Channel deployments, Extended Security Updates, embedded scenarios, or other specialized servicing arrangements. Administrators must match the operating-system edition and support entitlement to the July 2026 update offered through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, or the Microsoft Update Catalog.
For Windows 10 endpoints that have passed normal support deadlines, simply identifying the vulnerable build is not enough. Organizations need to confirm that the device is enrolled in an eligible Extended Security Updates program or migrate it to a supported Windows release. A machine can remain operational and apparently healthy while receiving no correction for newly disclosed vulnerabilities.
This profile is especially relevant on shared servers, Remote Desktop Session Hosts, developer workstations, virtual desktop infrastructure, and other systems where users with different trust levels operate on the same Windows installation. A local disclosure primitive can be more valuable on those machines than on a tightly controlled single-user endpoint because more identities, services, and sensitive workloads may coexist in memory.
File servers deserve attention even though the disclosed attack vector is local rather than network-based. Backup agents, management tools, monitoring software, third-party storage utilities, and interactive administrators routinely run on these systems. An attacker who compromises one low-privilege context could attempt to use the flaw to gather information belonging to a more trusted process.
Microsoft has not claimed that disabling SMBv1 resolves CVE-2026-49801, and the advisory does not identify the problem as an SMBv1-only weakness. Removing SMBv1 remains sensible hardening, but it should not be substituted for installing the security update. Likewise, SMB signing and encryption address different threats and should not be treated as confirmed workarounds unless Microsoft later documents that protection.
There is also no public indication that the vulnerability was disclosed before Microsoft released its fix. That gives administrators room to follow normal staged deployment procedures, but it is not a reason to defer the update indefinitely. Microsoft’s Patch Tuesday disclosure supplies attackers with affected version ranges, the weakness category, the vulnerable subsystem, and enough scoring information to guide vulnerability research.
The National Vulnerability Database is still enriching its entry and has not supplied an independent NVD score. Its current 5.5 rating comes from Microsoft, acting as the CVE Numbering Authority. The absence of an NVD assessment does not cast doubt on the vulnerability’s existence; Microsoft has acknowledged the flaw, assigned affected versions, and shipped corrected builds.
The confidence explanation displayed alongside vulnerability metrics is a general description of how evidence maturity can be assessed. It should not be read as Microsoft expressing uncertainty that CVE-2026-49801 exists. What remains limited is the public technical detail about the exact SMB code path, the contents that may be exposed, and whether practical exploitation works consistently across affected Windows versions.
After deployment, inventory systems by OS version and build rather than relying only on a management console’s generic “compliant” status. A useful verification pass should identify Windows 11 24H2 machines below 26100.8875, Windows 11 25H2 machines below 26200.8875, Windows 11 26H1 machines below 28000.2269, and applicable Windows 10 21H2 or 22H2 systems below builds 19044.7548 and 19045.7548.
Security teams should also monitor for local privilege abuse and unexpected access to SMB-related processes, but there is no published exploit signature specific enough to replace patching. Endpoint detection controls may catch the compromise that precedes exploitation, yet they cannot guarantee that residual memory will never be disclosed through the vulnerable code path.
The decisive control is reaching the corrected July 2026 build. CVE-2026-49801 may not be remotely exploitable or currently weaponized, but its low complexity and high confidentiality impact make it relevant anywhere low-privilege users, services, or compromised processes share a Windows host with sensitive workloads.
Microsoft describes the underlying weakness as the use of an uninitialized resource in Windows Server Message Block. The company assigned the vulnerability a CVSS 3.1 score of 5.5 and a Medium severity rating, while Patch Tuesday coverage from BleepingComputer lists it among Microsoft’s Important-rated Windows flaws.
This is not another SMBGhost or EternalBlue-style unauthenticated network compromise. Microsoft’s scoring says an attacker requires local access and low-level privileges, but no user interaction; a successful exploit can have a high confidentiality impact without directly changing data or disrupting system availability.
The Attack Begins Inside Windows
The CVSS vector for CVE-2026-49801 is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation is local, attack complexity is low, the attacker must already hold limited privileges, and the victim does not need to click a link, open a document, or approve a prompt.That distinction should shape how administrators prioritize the update. The vulnerability is unlikely to provide an attacker’s initial route into an organization, but it may be useful after an account or endpoint has already been compromised. Information exposed from uninitialized memory could potentially assist reconnaissance, credential theft, privilege escalation, or another stage of an attack, although Microsoft has not publicly described the exact data that can be recovered.
An uninitialized resource flaw occurs when software allocates or reuses a resource without properly establishing its contents or state before making it available. If the resource still contains residual information, another process or user may be able to observe data that was not intended for them.
The vulnerability is cataloged as CWE-908, Use of Uninitialized Resource. Microsoft has not published proof-of-concept code, a detailed description of the affected SMB operation, or instructions for reproducing the disclosure. Administrators should therefore avoid assuming that familiar SMB controls, such as blocking TCP port 445 at the perimeter, fully mitigate a flaw whose attack vector is explicitly local.
Supported Windows Releases Share the Exposure
The CVE record identifies affected builds across client and server editions, including Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 versions 21H2 and 22H2, Windows 11 versions 24H2 and 25H2, and Windows 11 version 26H1. Both x64 and Arm64 Windows 11 systems are included where those architectures are available.The corrected build thresholds recorded for current Windows 11 branches include:
- Windows 11 Version 24H2 systems should reach build 26100.8875 or later.
- Windows 11 Version 25H2 systems should reach build 26200.8875 or later.
- Windows 11 Version 26H1 systems should reach build 28000.2269 or later.
- Windows 10 Version 22H2 systems receiving the applicable servicing channel should reach build 19045.7548 or later.
- Windows 10 Version 21H2 systems still covered by an applicable support program should reach build 19044.7548 or later.
Those version ranges do not mean every consumer installation will receive a standalone update under ordinary public support. Some listed releases survive only in Long-Term Servicing Channel deployments, Extended Security Updates, embedded scenarios, or other specialized servicing arrangements. Administrators must match the operating-system edition and support entitlement to the July 2026 update offered through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, or the Microsoft Update Catalog.
For Windows 10 endpoints that have passed normal support deadlines, simply identifying the vulnerable build is not enough. Organizations need to confirm that the device is enrolled in an eligible Extended Security Updates program or migrate it to a supported Windows release. A machine can remain operational and apparently healthy while receiving no correction for newly disclosed vulnerabilities.
A Medium Score Still Carries High Confidentiality Impact
CVE-2026-49801’s 5.5 score reflects the access an attacker needs, not a claim that the information exposed is harmless. The confidentiality component is rated High, while integrity and availability are rated None. That means the modeled outcome is reading protected information rather than modifying files, taking over the system directly, or crashing the SMB service.This profile is especially relevant on shared servers, Remote Desktop Session Hosts, developer workstations, virtual desktop infrastructure, and other systems where users with different trust levels operate on the same Windows installation. A local disclosure primitive can be more valuable on those machines than on a tightly controlled single-user endpoint because more identities, services, and sensitive workloads may coexist in memory.
File servers deserve attention even though the disclosed attack vector is local rather than network-based. Backup agents, management tools, monitoring software, third-party storage utilities, and interactive administrators routinely run on these systems. An attacker who compromises one low-privilege context could attempt to use the flaw to gather information belonging to a more trusted process.
Microsoft has not claimed that disabling SMBv1 resolves CVE-2026-49801, and the advisory does not identify the problem as an SMBv1-only weakness. Removing SMBv1 remains sensible hardening, but it should not be substituted for installing the security update. Likewise, SMB signing and encryption address different threats and should not be treated as confirmed workarounds unless Microsoft later documents that protection.
Exploitation Is Not Currently Reported
As of July 15, 2026, the public CVE record does not indicate active exploitation. CISA’s initial Stakeholder-Specific Vulnerability Categorization data marks exploitation as “none,” describes automated exploitation as unlikely, and assesses the technical impact as partial.There is also no public indication that the vulnerability was disclosed before Microsoft released its fix. That gives administrators room to follow normal staged deployment procedures, but it is not a reason to defer the update indefinitely. Microsoft’s Patch Tuesday disclosure supplies attackers with affected version ranges, the weakness category, the vulnerable subsystem, and enough scoring information to guide vulnerability research.
The National Vulnerability Database is still enriching its entry and has not supplied an independent NVD score. Its current 5.5 rating comes from Microsoft, acting as the CVE Numbering Authority. The absence of an NVD assessment does not cast doubt on the vulnerability’s existence; Microsoft has acknowledged the flaw, assigned affected versions, and shipped corrected builds.
The confidence explanation displayed alongside vulnerability metrics is a general description of how evidence maturity can be assessed. It should not be read as Microsoft expressing uncertainty that CVE-2026-49801 exists. What remains limited is the public technical detail about the exact SMB code path, the contents that may be exposed, and whether practical exploitation works consistently across affected Windows versions.
Patch First, Then Verify the Build
Organizations should deploy the appropriate July 2026 cumulative or security-only update through their established Windows servicing process. Because the SMB fix is delivered as part of the monthly update stack, administrators generally do not need to locate or install a separate CVE-specific package.After deployment, inventory systems by OS version and build rather than relying only on a management console’s generic “compliant” status. A useful verification pass should identify Windows 11 24H2 machines below 26100.8875, Windows 11 25H2 machines below 26200.8875, Windows 11 26H1 machines below 28000.2269, and applicable Windows 10 21H2 or 22H2 systems below builds 19044.7548 and 19045.7548.
Security teams should also monitor for local privilege abuse and unexpected access to SMB-related processes, but there is no published exploit signature specific enough to replace patching. Endpoint detection controls may catch the compromise that precedes exploitation, yet they cannot guarantee that residual memory will never be disclosed through the vulnerable code path.
The decisive control is reaching the corrected July 2026 build. CVE-2026-49801 may not be remotely exploitable or currently weaponized, but its low complexity and high confidentiality impact make it relevant anywhere low-privilege users, services, or compromised processes share a Windows host with sensitive workloads.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com