CVE-2026-49807 is a newly patched Windows DirectX vulnerability that could allow a local, unauthorized attacker to extract sensitive information from affected Windows 10, Windows 11, and Windows Server systems. Microsoft addressed the flaw in its July 14, 2026 security updates, rating it Important with a CVSS 3.1 base score of 6.2.
Detailed in Microsoft’s Security Update Guide and subsequently published by the National Vulnerability Database, the vulnerability is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Microsoft has not published technical details describing the vulnerable DirectX component, the data that could be exposed, or a practical exploitation sequence.
The limited disclosure leaves administrators with a straightforward response: install the July cumulative updates rather than attempting to mitigate an incompletely documented DirectX weakness through configuration changes.
Microsoft’s CVSS vector for CVE-2026-49807 is
The attack vector is local, so the vulnerability cannot, based on Microsoft’s current assessment, be exploited directly across a network. An attacker would first need some means of executing code or otherwise interacting with the targeted Windows device locally.
Once that condition is met, however, Microsoft assigns low attack complexity. The vector also says that exploitation requires no privileges and no interaction from another user. A successfully positioned attacker therefore would not need an existing authenticated account or need to persuade the victim to click through a prompt.
The stated impact is confined to confidentiality. Microsoft rates that potential impact as high, while assigning no direct integrity or availability impact. In practical terms, the vulnerability is designed to describe an information leak rather than a mechanism for modifying data, gaining SYSTEM privileges, or crashing the machine.
That distinction prevents CVE-2026-49807 from being treated as a stand-alone remote compromise. It does not make the flaw harmless. Information-disclosure vulnerabilities can expose memory contents, addresses, credentials, or other data useful in defeating security boundaries, although Microsoft has not said which category of information is at risk here.
Microsoft also lists Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations of Windows Server 2019 and Windows Server 2025 are included, which is an important reminder that removing the desktop shell does not necessarily remove vulnerable graphics infrastructure from Windows.
The fixed build thresholds published through the CVE record are:
The Windows 11 26H1 entry is unusual because its listed fixed threshold, build 28000.2269, corresponds to the June 2026 security update KB5095051. That suggests the newer 26H1 branch received the relevant correction earlier than the formal July disclosure. Administrators should still rely on Microsoft’s current servicing channel and latest cumulative update rather than treating an older build threshold as a recommendation to stop patching.
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment recorded no known exploitation for CVE-2026-49807. It also characterized exploitation as not automatable and the technical impact as partial. Those observations align with Microsoft’s local attack vector and confidentiality-only impact.
CVE-2026-49807 was not one of the publicly disclosed or actively exploited zero-days highlighted in the broader July 2026 Patch Tuesday release. Microsoft’s July rollout was exceptionally large, with BleepingComputer counting 570 Microsoft vulnerabilities, including 102 information-disclosure issues. The DirectX flaw sits in that substantial second tier of bugs that warrant remediation but do not currently demand emergency zero-day procedures.
Microsoft has not supplied a workaround or mitigation specific to CVE-2026-49807. There is consequently little value in disabling unrelated DirectX features, removing graphics applications, or attempting driver changes without evidence that those steps block the vulnerable path. Such actions could disrupt production workloads while leaving the underlying Windows component exposed.
Microsoft’s vector makes that possibility worth noting: exploitation requires no privileges, needs no victim interaction, and may have a high confidentiality impact once local access is established. Those properties can make an information leak useful after an attacker gains an initial execution foothold through malware, a malicious document, a browser weakness, or another unpatched service.
There is no public evidence that CVE-2026-49807 currently forms part of such a chain. Microsoft has also withheld enough implementation detail that defenders cannot yet map the vulnerability to a specific DLL, graphics API, media workflow, or application behavior. Any claim that a particular game, browser, virtual desktop platform, or GPU workload triggers the bug would therefore be speculative.
For enterprise IT, patch prioritization should reflect both that uncertainty and the breadth of affected systems. Internet-facing servers do not appear directly exploitable through this vulnerability alone, but shared workstations, virtual desktop infrastructure, developer machines, gaming PCs, and systems that process untrusted graphics or media content should not be left behind during the July rollout.
Administrators should deploy the relevant cumulative update, restart systems where required, and verify that devices have reached or exceeded Microsoft’s fixed build levels. Because Windows updates are cumulative, installing the current security update also covers the DirectX correction without requiring a separate package.
The next meaningful development will be any revision from Microsoft identifying the exposed information or vulnerable DirectX path. Until then, CVE-2026-49807 remains a confirmed but technically opaque local disclosure flaw—one addressed most reliably by completing the July 2026 Windows update cycle.
Detailed in Microsoft’s Security Update Guide and subsequently published by the National Vulnerability Database, the vulnerability is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Microsoft has not published technical details describing the vulnerable DirectX component, the data that could be exposed, or a practical exploitation sequence.
The limited disclosure leaves administrators with a straightforward response: install the July cumulative updates rather than attempting to mitigate an incompletely documented DirectX weakness through configuration changes.
A Local Attack With No Account or User Interaction Required
Microsoft’s CVSS vector for CVE-2026-49807 is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Each part of that vector helps define the risk more precisely than the 6.2 score alone.The attack vector is local, so the vulnerability cannot, based on Microsoft’s current assessment, be exploited directly across a network. An attacker would first need some means of executing code or otherwise interacting with the targeted Windows device locally.
Once that condition is met, however, Microsoft assigns low attack complexity. The vector also says that exploitation requires no privileges and no interaction from another user. A successfully positioned attacker therefore would not need an existing authenticated account or need to persuade the victim to click through a prompt.
The stated impact is confined to confidentiality. Microsoft rates that potential impact as high, while assigning no direct integrity or availability impact. In practical terms, the vulnerability is designed to describe an information leak rather than a mechanism for modifying data, gaining SYSTEM privileges, or crashing the machine.
That distinction prevents CVE-2026-49807 from being treated as a stand-alone remote compromise. It does not make the flaw harmless. Information-disclosure vulnerabilities can expose memory contents, addresses, credentials, or other data useful in defeating security boundaries, although Microsoft has not said which category of information is at risk here.
DirectX Expands the Patch Across Client and Server Windows
The affected-product record spans multiple Windows generations and processor architectures. CVE-2026-49807 affects supported installations of Windows 10 Version 1809, Windows 10 21H2, Windows 10 22H2, Windows 11 24H2, Windows 11 25H2, and Windows 11 26H1.Microsoft also lists Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations of Windows Server 2019 and Windows Server 2025 are included, which is an important reminder that removing the desktop shell does not necessarily remove vulnerable graphics infrastructure from Windows.
The fixed build thresholds published through the CVE record are:
- Windows 10 Version 1809 and Windows Server 2019 are affected below build 17763.9020.
- Windows 10 Version 21H2 is affected below build 19044.7548.
- Windows 10 Version 22H2 is affected below build 19045.7548.
- Windows 11 Version 24H2 is affected below build 26100.8875.
- Windows 11 Version 25H2 is affected below build 26200.8875.
- Windows 11 Version 26H1 is listed as affected below build 28000.2269.
- Windows Server 2022 is affected below build 20348.5386.
- Windows Server 2025 is affected below build 26100.33158.
winver, PowerShell inventory, endpoint-management reporting, or their usual update-compliance tooling.The Windows 11 26H1 entry is unusual because its listed fixed threshold, build 28000.2269, corresponds to the June 2026 security update KB5095051. That suggests the newer 26H1 branch received the relevant correction earlier than the formal July disclosure. Administrators should still rely on Microsoft’s current servicing channel and latest cumulative update rather than treating an older build threshold as a recommendation to stop patching.
“Confirmed” Describes Evidence, Not Active Exploitation
The report-confidence metric attached to the advisory can easily be misread. A status of confirmed means the vendor has acknowledged the vulnerability or sufficient technical evidence exists to substantiate it. It does not mean Microsoft has confirmed attacks in the wild.CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment recorded no known exploitation for CVE-2026-49807. It also characterized exploitation as not automatable and the technical impact as partial. Those observations align with Microsoft’s local attack vector and confidentiality-only impact.
CVE-2026-49807 was not one of the publicly disclosed or actively exploited zero-days highlighted in the broader July 2026 Patch Tuesday release. Microsoft’s July rollout was exceptionally large, with BleepingComputer counting 570 Microsoft vulnerabilities, including 102 information-disclosure issues. The DirectX flaw sits in that substantial second tier of bugs that warrant remediation but do not currently demand emergency zero-day procedures.
Microsoft has not supplied a workaround or mitigation specific to CVE-2026-49807. There is consequently little value in disabling unrelated DirectX features, removing graphics applications, or attempting driver changes without evidence that those steps block the vulnerable path. Such actions could disrupt production workloads while leaving the underlying Windows component exposed.
The Real Risk Is Exploit Chaining
The most credible operational concern is that CVE-2026-49807 could become one stage in a multi-vulnerability attack. A local information leak may help an attacker inspect memory or recover data needed to make another exploit more reliable, particularly when paired with a code-execution, sandbox-escape, or elevation-of-privilege vulnerability.Microsoft’s vector makes that possibility worth noting: exploitation requires no privileges, needs no victim interaction, and may have a high confidentiality impact once local access is established. Those properties can make an information leak useful after an attacker gains an initial execution foothold through malware, a malicious document, a browser weakness, or another unpatched service.
There is no public evidence that CVE-2026-49807 currently forms part of such a chain. Microsoft has also withheld enough implementation detail that defenders cannot yet map the vulnerability to a specific DLL, graphics API, media workflow, or application behavior. Any claim that a particular game, browser, virtual desktop platform, or GPU workload triggers the bug would therefore be speculative.
For enterprise IT, patch prioritization should reflect both that uncertainty and the breadth of affected systems. Internet-facing servers do not appear directly exploitable through this vulnerability alone, but shared workstations, virtual desktop infrastructure, developer machines, gaming PCs, and systems that process untrusted graphics or media content should not be left behind during the July rollout.
Administrators should deploy the relevant cumulative update, restart systems where required, and verify that devices have reached or exceeded Microsoft’s fixed build levels. Because Windows updates are cumulative, installing the current security update also covers the DirectX correction without requiring a separate package.
The next meaningful development will be any revision from Microsoft identifying the exposed information or vulnerable DirectX path. Until then, CVE-2026-49807 remains a confirmed but technically opaque local disclosure flaw—one addressed most reliably by completing the July 2026 Windows update cycle.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com