CVE-2026-50295 exposes a local route around Windows Zero Trust DNS controls on unpatched Windows 11 and Windows Server 2025 systems, allowing an authorized attacker to undermine a policy intended to restrict outbound network traffic. Microsoft published the vulnerability on July 14, 2026, assigning it a CVSS 3.1 score of 5.5 and classifying it as a medium-severity security feature bypass.
Detailed in Microsoft’s Security Update Guide and the official CVE record, the flaw stems from improper privilege management in Windows DNS. Exploitation requires local access and low privileges, but no user interaction, meaning it is more relevant as a post-compromise technique than as an initial entry point.
Administrators using Zero Trust DNS should treat the update as a control-integrity fix, not dismiss it solely because of the moderate score. A bypass can weaken the network restrictions that defenders expect to contain malware, unauthorized tools, or compromised user accounts.
Zero Trust DNS, commonly shortened to ZTDNS, extends the Windows DNS client so organizations can enforce domain-based network access rules directly on an endpoint. When enabled, Windows blocks outbound IP traffic by default and permits connections only when the destination was resolved through an administrator-approved DNS server or explicitly exempted by policy.
The intended result is that software cannot simply avoid a protective DNS service by connecting directly to an IP address. A policy-aware protective DNS server can block unwanted domains, while Windows enforces the decision against applications running on the device.
CVE-2026-50295 affects that enforcement model. Microsoft’s description says an authorized local attacker can bypass a security feature, while the associated CWE-269 classification identifies incorrect privilege management as the underlying weakness. Microsoft has not published a detailed attack sequence, proof of concept, affected Windows component path, or explanation of exactly which ZTDNS rule can be circumvented.
That missing technical detail limits conclusions about the practical scope. The available information does not establish that an attacker can disable every ZTDNS restriction or gain arbitrary network access under all configurations. It does establish that Microsoft considers a policy bypass possible and has shipped corrected Windows builds.
The CVSS vector provides several useful boundaries:
The corrected version boundaries in the CVE record are:
For Windows 11 24H2 and 25H2, the July cumulative update is KB5101650, which advances the operating systems to builds 26100.8875 and 26200.8875 respectively. Windows Server 2025 reaches build 26100.33158 with KB5099536.
Windows 11 26H1 is an unusual case. Microsoft’s CVE data marks builds earlier than 28000.2269 as vulnerable, making the June 9 cumulative update KB5095051 the listed security boundary. Devices running the newer July update, KB5101649 and build 28000.2525, are also beyond that boundary.
The build number matters more than simply seeing a green Windows Update status. Management platforms can report that an update was assigned or installed while a device remains behind because of a pending restart, servicing failure, safeguard hold, or stale inventory data. Administrators should verify the resulting OS build with
Older Windows releases are notably absent from Microsoft’s affected-product list. Windows 11 23H2, Windows 10, and Windows Server 2022 are not identified as vulnerable, which is consistent with ZTDNS being associated with Microsoft’s newer Windows networking stack and current Windows 11 deployments.
Microsoft’s CVSS data also marks exploit maturity as unproven while assigning high confidence to the accuracy of the vulnerability details. In practical terms, the vulnerability is confirmed and sufficiently understood to patch, but there is no public evidence in the record that working exploit code or attacks in the wild were known at publication.
That distinction is important. Report confidence measures confidence in the technical claim, not the probability that an organization will be attacked. A confirmed medium-severity vulnerability can still have limited real-world urgency if it needs an uncommon configuration, while an exploited flaw with a lower numeric score may demand immediate action.
CVE-2026-50295 becomes more consequential where ZTDNS is part of a formal containment strategy. If administrators rely on the feature to ensure that endpoints communicate only with domains approved by protective DNS policy, a local bypass could create a gap between the policy shown in management tooling and the network behavior actually enforced on the device.
Possible post-compromise consequences include malware attempting to reach command-and-control infrastructure, an unauthorized utility bypassing domain restrictions, or an insider trying to connect to a destination that protective DNS policy would reject. Microsoft has not confirmed those specific scenarios for this CVE, but they illustrate why a security boundary failure deserves attention even when it does not independently provide code execution or privilege escalation.
ZTDNS deployments also tend to be deliberately restrictive. Microsoft’s own operational guidance warns that the feature can block protocols and services that cannot be associated with an approved DNS resolution, including some discovery and printing workflows. Organizations accepting those compatibility costs are doing so to obtain stronger endpoint network control; leaving the enforcement component unpatched defeats part of that investment.
Security teams should prioritize devices where Zero Trust DNS is enabled, followed by Windows Server 2025 systems that are permitted to run interactive or third-party workloads. Standard workstations without ZTDNS still need the July cumulative update, but the vulnerability’s direct policy impact is greatest on endpoints actively using the feature.
After deployment, administrators should confirm both the Windows build and ZTDNS operation. Microsoft provides
Testing should include a domain allowed by the protective DNS policy, a blocked domain, and an outbound connection that attempts to use a direct IP address without an approved exception. That validates the control users actually depend upon rather than assuming a successful update installation proves the policy is functioning.
CVE-2026-50295 does not appear to be an emergency internet-facing threat, but it lands directly on a security boundary designed to contain already-compromised endpoints. For ZTDNS adopters, the concrete target is now clear: Windows 11 24H2 build 26100.8875, Windows 11 25H2 build 26200.8875, Windows 11 26H1 at or beyond build 28000.2269, and Windows Server 2025 build 26100.33158.
Detailed in Microsoft’s Security Update Guide and the official CVE record, the flaw stems from improper privilege management in Windows DNS. Exploitation requires local access and low privileges, but no user interaction, meaning it is more relevant as a post-compromise technique than as an initial entry point.
Administrators using Zero Trust DNS should treat the update as a control-integrity fix, not dismiss it solely because of the moderate score. A bypass can weaken the network restrictions that defenders expect to contain malware, unauthorized tools, or compromised user accounts.
The Bypass Targets the Enforcement Point
Zero Trust DNS, commonly shortened to ZTDNS, extends the Windows DNS client so organizations can enforce domain-based network access rules directly on an endpoint. When enabled, Windows blocks outbound IP traffic by default and permits connections only when the destination was resolved through an administrator-approved DNS server or explicitly exempted by policy.The intended result is that software cannot simply avoid a protective DNS service by connecting directly to an IP address. A policy-aware protective DNS server can block unwanted domains, while Windows enforces the decision against applications running on the device.
CVE-2026-50295 affects that enforcement model. Microsoft’s description says an authorized local attacker can bypass a security feature, while the associated CWE-269 classification identifies incorrect privilege management as the underlying weakness. Microsoft has not published a detailed attack sequence, proof of concept, affected Windows component path, or explanation of exactly which ZTDNS rule can be circumvented.
That missing technical detail limits conclusions about the practical scope. The available information does not establish that an attacker can disable every ZTDNS restriction or gain arbitrary network access under all configurations. It does establish that Microsoft considers a policy bypass possible and has shipped corrected Windows builds.
The CVSS vector provides several useful boundaries:
- The attacker must already be able to execute actions locally on the affected computer.
- Exploitation is rated as low complexity and requires low privileges.
- No user interaction is required once the attacker has local access.
- The expected security impact is high for integrity, with no direct confidentiality or availability impact recorded.
Windows 11 and Server 2025 Carry the Exposure
Microsoft lists Windows 11 versions 24H2, 25H2, and 26H1 as affected, across the supported x64 and ARM64 architectures. Windows Server 2025 and its Server Core installation are also included.The corrected version boundaries in the CVE record are:
| Product | Protected build boundary |
|---|---|
| Windows 11 version 24H2 | 26100.8875 |
| Windows 11 version 25H2 | 26200.8875 |
| Windows 11 version 26H1 | 28000.2269 |
| Windows Server 2025 | 26100.33158 |
Windows 11 26H1 is an unusual case. Microsoft’s CVE data marks builds earlier than 28000.2269 as vulnerable, making the June 9 cumulative update KB5095051 the listed security boundary. Devices running the newer July update, KB5101649 and build 28000.2525, are also beyond that boundary.
The build number matters more than simply seeing a green Windows Update status. Management platforms can report that an update was assigned or installed while a device remains behind because of a pending restart, servicing failure, safeguard hold, or stale inventory data. Administrators should verify the resulting OS build with
winver, PowerShell inventory, Microsoft Intune, Configuration Manager, Windows Update for Business reports, or their vulnerability-management platform.Older Windows releases are notably absent from Microsoft’s affected-product list. Windows 11 23H2, Windows 10, and Windows Server 2022 are not identified as vulnerable, which is consistent with ZTDNS being associated with Microsoft’s newer Windows networking stack and current Windows 11 deployments.
A Moderate Score Can Hide a Serious Policy Failure
CVE-2026-50295 is not among the actively exploited zero-days driving the most urgent July 2026 Patch Tuesday decisions. The CVE enrichment published through CISA records no known exploitation, describes the flaw as non-automatable, and rates its technical impact as partial.Microsoft’s CVSS data also marks exploit maturity as unproven while assigning high confidence to the accuracy of the vulnerability details. In practical terms, the vulnerability is confirmed and sufficiently understood to patch, but there is no public evidence in the record that working exploit code or attacks in the wild were known at publication.
That distinction is important. Report confidence measures confidence in the technical claim, not the probability that an organization will be attacked. A confirmed medium-severity vulnerability can still have limited real-world urgency if it needs an uncommon configuration, while an exploited flaw with a lower numeric score may demand immediate action.
CVE-2026-50295 becomes more consequential where ZTDNS is part of a formal containment strategy. If administrators rely on the feature to ensure that endpoints communicate only with domains approved by protective DNS policy, a local bypass could create a gap between the policy shown in management tooling and the network behavior actually enforced on the device.
Possible post-compromise consequences include malware attempting to reach command-and-control infrastructure, an unauthorized utility bypassing domain restrictions, or an insider trying to connect to a destination that protective DNS policy would reject. Microsoft has not confirmed those specific scenarios for this CVE, but they illustrate why a security boundary failure deserves attention even when it does not independently provide code execution or privilege escalation.
ZTDNS deployments also tend to be deliberately restrictive. Microsoft’s own operational guidance warns that the feature can block protocols and services that cannot be associated with an approved DNS resolution, including some discovery and printing workflows. Organizations accepting those compatibility costs are doing so to obtain stronger endpoint network control; leaving the enforcement component unpatched defeats part of that investment.
Patch First, Then Test the Policy Itself
The appropriate remediation is to install the applicable cumulative Windows update and restart where required. Microsoft has not documented a separate registry mitigation, Group Policy workaround, or ZTDNS configuration change that fully addresses CVE-2026-50295.Security teams should prioritize devices where Zero Trust DNS is enabled, followed by Windows Server 2025 systems that are permitted to run interactive or third-party workloads. Standard workstations without ZTDNS still need the July cumulative update, but the vulnerability’s direct policy impact is greatest on endpoints actively using the feature.
After deployment, administrators should confirm both the Windows build and ZTDNS operation. Microsoft provides
netsh ztdns commands for inspecting trusted DNS servers, exceptions, certificate settings, and feature state, while relevant diagnostic events are available under the Microsoft-Windows-ZTDNS logs in Event Viewer.Testing should include a domain allowed by the protective DNS policy, a blocked domain, and an outbound connection that attempts to use a direct IP address without an approved exception. That validates the control users actually depend upon rather than assuming a successful update installation proves the policy is functioning.
CVE-2026-50295 does not appear to be an emergency internet-facing threat, but it lands directly on a security boundary designed to contain already-compromised endpoints. For ZTDNS adopters, the concrete target is now clear: Windows 11 24H2 build 26100.8875, Windows 11 25H2 build 26200.8875, Windows 11 26H1 at or beyond build 28000.2269, and Windows Server 2025 build 26100.33158.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: learn.microsoft.com
Zero Trust DNS commands | Microsoft Learn
This article lists all the commands available for Zero Trust DNS (ZTDNS) configuration and management.learn.microsoft.com - Related coverage: tomsguide.com
Microsoft's first Patch Tuesday of 2026 fixes over 100 bugs and one active zero-day flaw — don't wait to update your PC | Tom's Guide
Microsoft if back with its first round of Patch Tuesday updates for the new year which fix 114 security flaws in total.www.tomsguide.com - Related coverage: techradar.com
Russian hackers are targeting a new Office 365 zero-day, so patch now or face attack | TechRadar
Ukraine's defenders have spotted a new hacking attackwww.techradar.com