CVE-2026-50311 is a high-severity Windows privilege-escalation vulnerability that allows a low-privileged, authenticated attacker to gain elevated local access. Microsoft fixed the improper-access-control flaw in its July 14, 2026 security updates, making patch deployment the primary action for administrators managing affected Windows Server systems.
Detailed in Microsoft’s Security Response Center advisory, CVE-2026-50311 carries a CVSS 3.1 score of 7.8 and an Important severity rating. The National Vulnerability Database identifies the weakness as CWE-284, Improper Access Control, and says its own analysis is still undergoing enrichment.
The vulnerability is not a remote, unauthenticated route into a server. An attacker must already possess local access and low-level privileges, but exploitation requires no user interaction and is rated as low complexity. That combination makes it relevant to post-compromise activity, where an intruder or malicious insider seeks to turn an ordinary account into a substantially more powerful foothold.
Microsoft’s CVSS vector is
The potential consequences are much larger than the local attack vector might suggest. Microsoft assigned high impact ratings for confidentiality, integrity, and availability, indicating that successful exploitation could expose protected information, permit unauthorized changes, and disrupt the affected system.
CISA’s Stakeholder-Specific Vulnerability Categorization assessment records no known exploitation as of July 14. It also classifies automated exploitation as unlikely while assigning a total technical impact. That is an important distinction: the vulnerability is not presently described as a wormable emergency, but a successful attacker could potentially obtain comprehensive control of the compromised machine.
Microsoft has not publicly documented the affected Windows Server component, vulnerable operation, privilege level obtained, or a proof-of-concept exploitation sequence. The advisory instead provides the broad diagnosis that improper access control allows an authorized attacker to elevate privileges locally.
That limited disclosure reduces the immediate value of the advisory to would-be attackers, but it also leaves defenders without a component-specific mitigation. There is no service to disable, port to block, or configuration change identified as a substitute for installing the security update.
On the server side, Microsoft lists:
The corrected build thresholds recorded with the CVE include Windows Server 2016 build 14393.9339, Windows Server 2019 build 17763.9020, Windows Server 2022 build 20348.5386, and Windows Server 2025 build 26100.33158. Systems below the applicable build remain within the affected range identified by Microsoft.
For current server releases, the corresponding July updates include KB5099540 for Windows Server 2022, bringing it to OS Build 20348.5386, and KB5099536 for Windows Server 2025, bringing it to OS Build 26100.33158. Administrators should verify the installed cumulative update or OS build rather than relying only on a Windows Update history screen that says a scan completed successfully.
Client-side fixed thresholds include build 26100.8875 for Windows 11 24H2, build 26200.8875 for Windows 11 25H2, and build 28000.2269 or later for the applicable Windows 11 26H1 servicing path. Windows 10 21H2 and 22H2 are listed as affected below builds 19044.7548 and 19045.7548 respectively.
The practical scope is therefore wider than the advisory title implies. Organizations should use Microsoft’s product matrix and their own asset inventory rather than filtering vulnerability-management results solely for machines labeled as servers.
Domain controllers deserve prompt attention as well, even though Microsoft has not said that the flaw is specific to Active Directory Domain Services. A local privilege escalation on a domain controller has a fundamentally different business impact from the same flaw on an isolated test workstation.
The vulnerability is also relevant to attack chains. Threat actors frequently obtain initial access through stolen credentials, phishing, exposed remote-management services, or a separate remote-code-execution vulnerability, then use a privilege-escalation bug to escape the restrictions of the compromised identity. CVE-2026-50311 does not need to provide initial entry to become operationally valuable.
Administrators unable to deploy the July cumulative updates immediately should tighten controls that make local exploitation harder. That includes limiting interactive logon rights, reviewing membership in Remote Desktop Users and other delegated groups, reducing shared administrator access, and monitoring for unusual process creation or account changes originating from low-privileged sessions.
Those measures reduce exposure but do not correct the faulty access control. Because Microsoft has not published a component-specific workaround, installing the applicable July 14 security update remains the only documented fix.
NVD had not completed its independent enrichment when the record was published on July 14. That status should not be mistaken for uncertainty over whether the flaw exists; it means NIST had not yet added its own scoring, platform mappings, and supplementary analysis.
There was also no public proof of concept or confirmed exploitation reported in the available records at publication time. That gives administrators room to follow controlled deployment rings rather than treating CVE-2026-50311 as an isolated out-of-band crisis, but it does not justify leaving internet-connected or multi-user servers unpatched indefinitely.
CVE-2026-50311 arrived inside an unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft vulnerabilities addressed during the cycle, including hundreds of elevation-of-privilege issues and multiple zero-days. In that volume, a 7.8-rated local vulnerability can easily disappear behind critical remote-code-execution headlines.
For Windows administrators, the immediate milestone is straightforward: confirm that affected servers have reached builds 14393.9339, 17763.9020, 20348.5386, or 26100.33158 as appropriate, then extend the same verification to affected Windows 10 and Windows 11 endpoints. The remaining unresolved issue is whether Microsoft or an external researcher will disclose enough technical detail to show which Windows security boundary failed—and how readily attackers could fold it into a real-world intrusion chain.
Detailed in Microsoft’s Security Response Center advisory, CVE-2026-50311 carries a CVSS 3.1 score of 7.8 and an Important severity rating. The National Vulnerability Database identifies the weakness as CWE-284, Improper Access Control, and says its own analysis is still undergoing enrichment.
The vulnerability is not a remote, unauthenticated route into a server. An attacker must already possess local access and low-level privileges, but exploitation requires no user interaction and is rated as low complexity. That combination makes it relevant to post-compromise activity, where an intruder or malicious insider seeks to turn an ordinary account into a substantially more powerful foothold.
A Local Bug With System-Wide Consequences
Microsoft’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation must originate locally, requires an existing low-privileged account, and does not depend on persuading another user to open a file or approve a prompt.The potential consequences are much larger than the local attack vector might suggest. Microsoft assigned high impact ratings for confidentiality, integrity, and availability, indicating that successful exploitation could expose protected information, permit unauthorized changes, and disrupt the affected system.
CISA’s Stakeholder-Specific Vulnerability Categorization assessment records no known exploitation as of July 14. It also classifies automated exploitation as unlikely while assigning a total technical impact. That is an important distinction: the vulnerability is not presently described as a wormable emergency, but a successful attacker could potentially obtain comprehensive control of the compromised machine.
Microsoft has not publicly documented the affected Windows Server component, vulnerable operation, privilege level obtained, or a proof-of-concept exploitation sequence. The advisory instead provides the broad diagnosis that improper access control allows an authorized attacker to elevate privileges locally.
That limited disclosure reduces the immediate value of the advisory to would-be attackers, but it also leaves defenders without a component-specific mitigation. There is no service to disable, port to block, or configuration change identified as a substitute for installing the security update.
The “Windows Server” Name Hides a Broader Footprint
Despite Microsoft naming CVE-2026-50311 as a Windows Server vulnerability, the vendor’s affected-product record extends into supported Windows client releases. The list includes Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and several Windows 10 branches still receiving applicable servicing.On the server side, Microsoft lists:
- Windows Server 2012 and Server Core installations.
- Windows Server 2012 R2 and Server Core installations.
- Windows Server 2016 and Server Core installations.
- Windows Server 2019 and Server Core installations.
- Windows Server 2022.
- Windows Server 2025 and Server Core installations.
The corrected build thresholds recorded with the CVE include Windows Server 2016 build 14393.9339, Windows Server 2019 build 17763.9020, Windows Server 2022 build 20348.5386, and Windows Server 2025 build 26100.33158. Systems below the applicable build remain within the affected range identified by Microsoft.
For current server releases, the corresponding July updates include KB5099540 for Windows Server 2022, bringing it to OS Build 20348.5386, and KB5099536 for Windows Server 2025, bringing it to OS Build 26100.33158. Administrators should verify the installed cumulative update or OS build rather than relying only on a Windows Update history screen that says a scan completed successfully.
Client-side fixed thresholds include build 26100.8875 for Windows 11 24H2, build 26200.8875 for Windows 11 25H2, and build 28000.2269 or later for the applicable Windows 11 26H1 servicing path. Windows 10 21H2 and 22H2 are listed as affected below builds 19044.7548 and 19045.7548 respectively.
The practical scope is therefore wider than the advisory title implies. Organizations should use Microsoft’s product matrix and their own asset inventory rather than filtering vulnerability-management results solely for machines labeled as servers.
Patch Priority Depends on Where Local Access Leads
CVE-2026-50311 should be prioritized on systems where low-privileged access is common or where elevated control would expose high-value workloads. Remote Desktop Session Hosts, jump servers, shared administrative systems, virtual desktop infrastructure, development servers, and machines running third-party services under restricted identities are natural candidates for accelerated testing.Domain controllers deserve prompt attention as well, even though Microsoft has not said that the flaw is specific to Active Directory Domain Services. A local privilege escalation on a domain controller has a fundamentally different business impact from the same flaw on an isolated test workstation.
The vulnerability is also relevant to attack chains. Threat actors frequently obtain initial access through stolen credentials, phishing, exposed remote-management services, or a separate remote-code-execution vulnerability, then use a privilege-escalation bug to escape the restrictions of the compromised identity. CVE-2026-50311 does not need to provide initial entry to become operationally valuable.
Administrators unable to deploy the July cumulative updates immediately should tighten controls that make local exploitation harder. That includes limiting interactive logon rights, reviewing membership in Remote Desktop Users and other delegated groups, reducing shared administrator access, and monitoring for unusual process creation or account changes originating from low-privileged sessions.
Those measures reduce exposure but do not correct the faulty access control. Because Microsoft has not published a component-specific workaround, installing the applicable July 14 security update remains the only documented fix.
Sparse Disclosure Does Not Mean Low Confidence
The confidence language accompanying the advisory concerns how firmly the vulnerability and its technical characteristics have been established. In this case, Microsoft is the assigning authority and has shipped corrected Windows builds, so the existence of the vulnerability is vendor-confirmed even though the public technical description remains minimal.NVD had not completed its independent enrichment when the record was published on July 14. That status should not be mistaken for uncertainty over whether the flaw exists; it means NIST had not yet added its own scoring, platform mappings, and supplementary analysis.
There was also no public proof of concept or confirmed exploitation reported in the available records at publication time. That gives administrators room to follow controlled deployment rings rather than treating CVE-2026-50311 as an isolated out-of-band crisis, but it does not justify leaving internet-connected or multi-user servers unpatched indefinitely.
CVE-2026-50311 arrived inside an unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft vulnerabilities addressed during the cycle, including hundreds of elevation-of-privilege issues and multiple zero-days. In that volume, a 7.8-rated local vulnerability can easily disappear behind critical remote-code-execution headlines.
For Windows administrators, the immediate milestone is straightforward: confirm that affected servers have reached builds 14393.9339, 17763.9020, 20348.5386, or 26100.33158 as appropriate, then extend the same verification to affected Windows 10 and Windows 11 endpoints. The remaining unresolved issue is whether Microsoft or an external researcher will disclose enough technical detail to show which Windows security boundary failed—and how readily attackers could fold it into a real-world intrusion chain.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
July 14, 2026-KB5102206 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows Server 2022 | Microsoft Support
July 14, 2026-KB5102206 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows Server 2022support.microsoft.com - Official source: learn.microsoft.com
Windows Server release information | Microsoft Learn
Release information about Windows Serverlearn.microsoft.com - Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com