Microsoft has fixed CVE-2026-50305, a high-severity local privilege-escalation vulnerability in the Microsoft Brokering File System affecting Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025. Administrators should deploy the relevant cumulative security update and verify that systems have reached Microsoft’s corrected build thresholds.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 7.8. Microsoft describes it as a use-after-free flaw that allows an authorized attacker to elevate privileges locally, meaning exploitation requires an attacker to have already gained some level of access to the machine.
The vulnerability was not publicly disclosed or known to be under active exploitation when Microsoft released the fix. The Zero Day Initiative’s July security-update review lists both fields as “No,” while Microsoft assesses exploitation as less likely. That reduces the immediate emergency compared with an actively exploited zero-day, but it does not remove the risk for workstations, shared systems, virtual desktop infrastructure, and servers where an attacker could chain CVE-2026-50305 with an initial-access vulnerability.
CVE-2026-50305 is classified under CWE-416, use after free, as well as CWE-362, which covers concurrent execution using shared resources with improper synchronization. Together, those classifications suggest that the Brokering File System can operate on memory after its intended lifetime has ended, potentially under timing conditions involving competing operations.
Microsoft has not published exploit code or a detailed reproduction sequence. The available CVSS vector nevertheless establishes the important operational boundaries: the attack is local, has low attack complexity, requires low privileges, and needs no user interaction.
The complete vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. A successful exploit can therefore have high impact on confidentiality, integrity, and availability within the affected security scope.
This is not a vulnerability that an anonymous attacker can directly trigger across the internet. Instead, it is valuable after initial compromise. Malware running as an ordinary user, a malicious insider with a restricted account, or an attacker who obtained credentials through phishing could attempt to use the flaw to break out of that limited context.
That distinction matters for prioritization. Internet-facing remote-code-execution flaws usually lead an emergency deployment queue, but local elevation vulnerabilities often determine whether an intrusion remains confined to one user profile or develops into credential theft, security-tool tampering, persistence, and broader lateral movement.
Microsoft delivered those corrected builds through KB5101650, the July 14 cumulative update shared by Windows 11 24H2 and 25H2. After installation,
The shared KB is expected because 24H2 and 25H2 use closely related servicing foundations. For deployment teams, however, the displayed build remains important: seeing KB5101650 in update history is useful, but checking the final build provides stronger confirmation that servicing completed rather than merely downloading or staging the package.
Windows 11 26H1 has an unusual chronology in the affected-version data. Microsoft lists versions below build 28000.2269 as vulnerable, and that build was delivered on June 9 through KB5095051. The July cumulative update, KB5101649, advances Windows 11 26H1 to build 28000.2525.
In practical terms, a 26H1 device already on build 28000.2269 or later satisfies the vulnerability record’s corrected-version boundary. Installing KB5101649 remains the sensible course because cumulative updates include later security and quality fixes, but administrators should not interpret CVE-2026-50305’s July publication date as proof that every corrected binary first appeared in July. Microsoft sometimes documents a vulnerability after fixed code has already shipped in an earlier cumulative package.
Server Core does not avoid the issue simply by omitting the graphical shell. The vulnerability lies in a Windows component included in both installation models, so patch policies should cover full desktop-experience servers and Server Core hosts alike.
That has consequences for environments using Windows Server 2025 as a virtualization host, application platform, management server, or privileged administrative system. A local elevation flaw becomes especially significant on machines where a compromised account can reach service credentials, automation secrets, deployment tooling, or administrative sessions.
Organizations running clustered or highly available workloads should follow their normal staged servicing procedures rather than indefinitely deferring the update. Drain roles where necessary, patch one node at a time, restart as required, and verify build 26100.33158 or later before returning each node to service.
The affected-build thresholds are:
Microsoft’s temporal metrics also indicate that an official fix is available and that the exploit maturity was unproven at publication. Zero Day Initiative likewise recorded no public disclosure and no observed exploitation for this CVE on July 14.
That status can change after patches ship. Monthly cumulative updates give researchers and threat actors binaries to compare, and patch diffing can reveal which functions or memory-management paths Microsoft changed. A flaw assessed as exploitation less likely on release day can therefore become better understood later, particularly when its attack complexity is low.
Defenders should avoid treating the absence of known exploitation as permission to skip the update. It is better understood as room for controlled testing: validate the July cumulative package against critical applications, monitor Microsoft’s Windows release-health information for servicing problems, and then complete deployment on a defined schedule.
Endpoint detection teams can also use the vulnerability’s attack model to tune monitoring. Suspicious activity begins with an already authenticated local context, so useful signals include unexpected privilege changes, unusual child processes launched by low-privilege applications, security-control modification, credential-access behavior, and new persistence immediately after an untrusted executable runs.
CVE-2026-50305 is not the headline zero-day of Microsoft’s unusually large July 2026 Patch Tuesday release. Its practical danger is quieter: it offers a potential route for an attacker who is already inside Windows to turn limited access into a much more damaging position. The immediate milestone for administrators is concrete—reach builds 26100.8875, 26200.8875, 28000.2269 or later, and 26100.33158 on the corresponding Windows editions, then confirm those versions through inventory rather than assuming update approval equals successful installation.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 7.8. Microsoft describes it as a use-after-free flaw that allows an authorized attacker to elevate privileges locally, meaning exploitation requires an attacker to have already gained some level of access to the machine.
The vulnerability was not publicly disclosed or known to be under active exploitation when Microsoft released the fix. The Zero Day Initiative’s July security-update review lists both fields as “No,” while Microsoft assesses exploitation as less likely. That reduces the immediate emergency compared with an actively exploited zero-day, but it does not remove the risk for workstations, shared systems, virtual desktop infrastructure, and servers where an attacker could chain CVE-2026-50305 with an initial-access vulnerability.
A Local Foothold Can Become a Full-System Compromise
CVE-2026-50305 is classified under CWE-416, use after free, as well as CWE-362, which covers concurrent execution using shared resources with improper synchronization. Together, those classifications suggest that the Brokering File System can operate on memory after its intended lifetime has ended, potentially under timing conditions involving competing operations.Microsoft has not published exploit code or a detailed reproduction sequence. The available CVSS vector nevertheless establishes the important operational boundaries: the attack is local, has low attack complexity, requires low privileges, and needs no user interaction.
The complete vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. A successful exploit can therefore have high impact on confidentiality, integrity, and availability within the affected security scope.
This is not a vulnerability that an anonymous attacker can directly trigger across the internet. Instead, it is valuable after initial compromise. Malware running as an ordinary user, a malicious insider with a restricted account, or an attacker who obtained credentials through phishing could attempt to use the flaw to break out of that limited context.
That distinction matters for prioritization. Internet-facing remote-code-execution flaws usually lead an emergency deployment queue, but local elevation vulnerabilities often determine whether an intrusion remains confined to one user profile or develops into credential theft, security-tool tampering, persistence, and broader lateral movement.
Windows 11 24H2 and 25H2 Share the Main Fix
The National Vulnerability Database’s Microsoft-supplied product data identifies Windows 11 24H2 and 25H2 on both x64 and Arm64 systems as affected. Vulnerable Windows 11 24H2 installations are those below build 26100.8875, while Windows 11 25H2 installations are vulnerable below build 26200.8875.Microsoft delivered those corrected builds through KB5101650, the July 14 cumulative update shared by Windows 11 24H2 and 25H2. After installation,
winver should report OS Build 26100.8875 on version 24H2 or 26200.8875 on version 25H2.The shared KB is expected because 24H2 and 25H2 use closely related servicing foundations. For deployment teams, however, the displayed build remains important: seeing KB5101650 in update history is useful, but checking the final build provides stronger confirmation that servicing completed rather than merely downloading or staging the package.
Windows 11 26H1 has an unusual chronology in the affected-version data. Microsoft lists versions below build 28000.2269 as vulnerable, and that build was delivered on June 9 through KB5095051. The July cumulative update, KB5101649, advances Windows 11 26H1 to build 28000.2525.
In practical terms, a 26H1 device already on build 28000.2269 or later satisfies the vulnerability record’s corrected-version boundary. Installing KB5101649 remains the sensible course because cumulative updates include later security and quality fixes, but administrators should not interpret CVE-2026-50305’s July publication date as proof that every corrected binary first appeared in July. Microsoft sometimes documents a vulnerability after fixed code has already shipped in an earlier cumulative package.
Windows Server 2025 Needs Its Own Build Check
Windows Server 2025 and its Server Core installation option are also affected. Microsoft’s product data marks builds below 26100.33158 as vulnerable, with the corrected server build delivered by the July 14 update KB5099536.Server Core does not avoid the issue simply by omitting the graphical shell. The vulnerability lies in a Windows component included in both installation models, so patch policies should cover full desktop-experience servers and Server Core hosts alike.
That has consequences for environments using Windows Server 2025 as a virtualization host, application platform, management server, or privileged administrative system. A local elevation flaw becomes especially significant on machines where a compromised account can reach service credentials, automation secrets, deployment tooling, or administrative sessions.
Organizations running clustered or highly available workloads should follow their normal staged servicing procedures rather than indefinitely deferring the update. Drain roles where necessary, patch one node at a time, restart as required, and verify build 26100.33158 or later before returning each node to service.
The affected-build thresholds are:
- Windows 11 24H2 is corrected at OS Build 26100.8875 through KB5101650.
- Windows 11 25H2 is corrected at OS Build 26200.8875 through KB5101650.
- Windows 11 26H1 is outside the listed vulnerable range at OS Build 28000.2269 or later, with July’s KB5101649 advancing systems to 28000.2525.
- Windows Server 2025 and Server Core are corrected at OS Build 26100.33158 through KB5099536.
“Confirmed” Describes Evidence, Not Active Attacks
The report-confidence language attached to CVE-2026-50305 can be easy to misread. A rating of “Confirmed” means the vulnerability’s existence and technical basis have been confirmed by the vendor or sufficiently detailed research. It does not mean Microsoft has confirmed exploitation in customer environments.Microsoft’s temporal metrics also indicate that an official fix is available and that the exploit maturity was unproven at publication. Zero Day Initiative likewise recorded no public disclosure and no observed exploitation for this CVE on July 14.
That status can change after patches ship. Monthly cumulative updates give researchers and threat actors binaries to compare, and patch diffing can reveal which functions or memory-management paths Microsoft changed. A flaw assessed as exploitation less likely on release day can therefore become better understood later, particularly when its attack complexity is low.
Defenders should avoid treating the absence of known exploitation as permission to skip the update. It is better understood as room for controlled testing: validate the July cumulative package against critical applications, monitor Microsoft’s Windows release-health information for servicing problems, and then complete deployment on a defined schedule.
Endpoint detection teams can also use the vulnerability’s attack model to tune monitoring. Suspicious activity begins with an already authenticated local context, so useful signals include unexpected privilege changes, unusual child processes launched by low-privilege applications, security-control modification, credential-access behavior, and new persistence immediately after an untrusted executable runs.
CVE-2026-50305 is not the headline zero-day of Microsoft’s unusually large July 2026 Patch Tuesday release. Its practical danger is quieter: it offers a potential route for an attacker who is already inside Windows to turn limited access into a much more damaging position. The immediate milestone for administrators is concrete—reach builds 26100.8875, 26200.8875, 28000.2269 or later, and 26100.33158 on the corresponding Windows editions, then confirm those versions through inventory rather than assuming update approval equals successful installation.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: www2.gov.bc.ca