CVE-2026-50326: Install July Updates to Stop Windows Privilege Escalation

Microsoft has fixed CVE-2026-50326, a Windows Unified Consent System elevation-of-privilege vulnerability that could let a locally authenticated attacker gain higher permissions. The flaw carries a CVSS 3.1 base score of 7.8 and affects Windows 10, Windows 11, and Windows Server 2025 systems that have not received the applicable security updates.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is classified as Important rather than Critical. Microsoft describes the underlying weakness as a use-after-free memory-management error in the Windows Unified Consent System, a component associated with handling consent for privileged operations.
CVE-2026-50326 was not listed as publicly disclosed or exploited in the wild when Microsoft released the fix. Trend Micro’s Zero Day Initiative likewise recorded no known exploitation or public disclosure in its July 2026 security update review, while CISA’s initial assessment marked exploitation as “none.”

Cybersecurity dashboard depicts a Windows privilege-escalation vulnerability and successful security update deployment.A Local Foothold Can Become a Full Compromise​

CVE-2026-50326 is not remotely exploitable by itself. Microsoft’s CVSS vector — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — indicates that an attacker must already have local access and low-level privileges on the target computer.
That requirement limits its value as an initial intrusion mechanism, but it does not make the vulnerability harmless. Privilege-escalation bugs are commonly used after an attacker gains access through phishing, a malicious document, stolen credentials, an exposed service, or another software vulnerability.
The attack has low complexity and does not require another user to click a prompt or approve an action. A successful exploit could produce high confidentiality, integrity, and availability impact, meaning the attacker could potentially access protected information, modify system resources, and disrupt the affected computer.
Microsoft has not published proof-of-concept code or a detailed exploitation sequence. The public description does not establish exactly which process, object, or consent workflow triggers the use-after-free condition, so administrators should avoid assuming that changing a User Account Control policy is an adequate workaround.
Windows User Account Control normally separates standard user activity from operations requiring administrative rights. As Microsoft explains in its UAC documentation, Windows presents a consent or credential prompt when an operation requires elevation. CVE-2026-50326 concerns the Unified Consent System rather than proving that every UAC prompt can be bypassed, but its placement in this security boundary makes prompt patching prudent.

July Updates Establish the Safe Build Floor​

The affected-product data supplied by Microsoft covers Windows 11 versions 24H2, 25H2, and 26H1, along with selected Windows 10 releases and Windows Server 2025. Both x64 and ARM64 Windows 11 devices are included; affected Windows 10 entries also cover 32-bit systems.
For the principal supported client releases, Microsoft’s July updates move patched machines to these builds:
  • Windows 11 version 24H2 reaches OS build 26100.8875 through KB5101650.
  • Windows 11 version 25H2 reaches OS build 26200.8875 through KB5101650.
  • Windows 11 version 26H1 reaches OS build 28000.2525 through KB5101649.
  • Windows 10 version 21H2 reaches OS build 19044.7548 through KB5099539.
  • Windows 10 version 22H2 reaches OS build 19045.7548 through KB5099539.
  • Windows Server 2025 reaches OS build 26100.33158 through KB5099536.
Microsoft’s CVE record identifies Windows 11 24H2 builds earlier than 26100.8875 and Windows 11 25H2 builds earlier than 26200.8875 as vulnerable. For Windows Server 2025, the listed boundary is 26100.33158, including Server Core installations.
Windows 10 requires closer attention because the presence of an applicable build number does not mean every installation remains entitled to updates. General support for Windows 10 version 22H2 ended on October 14, 2025, while particular Enterprise, LTSC, IoT, or Extended Security Updates configurations follow different servicing rules. Administrators should verify that each Windows 10 device is enrolled in an eligible servicing channel rather than simply waiting for KB5099539 to appear.
The safest operational test is to confirm successful installation of the appropriate July 14 cumulative update and then verify the resulting OS build with winver, PowerShell, Microsoft Intune, Configuration Manager, or the organization’s vulnerability-management platform. Checking only whether Windows Update ran is insufficient because failed installations, pending restarts, safeguard holds, and stale inventory data can leave machines below the corrected build.

Confidence Is High Even Though Technical Detail Is Sparse​

The supplied vulnerability data refers to a confidence metric that distinguishes suspected weaknesses from technically confirmed flaws. For CVE-2026-50326, the CVSS temporal vector reports Report Confidence: Confirmed, meaning the vulnerability’s existence has been acknowledged by the affected vendor.
That confidence rating should not be confused with active exploitation. It says Microsoft has validated the defect and shipped a remedy; it does not say attackers are already using it. The same temporal data identifies exploit maturity as unproven and records an official fix as available.
The National Vulnerability Database was still awaiting its own enrichment shortly after publication, but it had already imported Microsoft’s 7.8 score, CWE-416 classification, affected versions, and local attack requirements. CISA’s initial SSVC data assessed the attack as not readily automatable while assigning “total” technical impact, a combination consistent with a local privilege-escalation bug that requires an existing foothold but can have severe consequences after exploitation.
A use-after-free occurs when software continues to reference memory after the associated object has been released. If an attacker can influence how that memory is reused, the program may read corrupted data, crash, or execute unintended operations in the security context of the vulnerable process. The precise outcome depends on the affected component and available mitigations, details Microsoft has not publicly documented for CVE-2026-50326.
This lack of a detailed write-up reduces the immediate amount of information available to would-be attackers, but it is not a durable defense. Comparing pre-update and post-update Windows binaries can help security researchers—and exploit developers—identify the corrected code path after a patch becomes available.

Administrators Should Treat It as a Chaining Risk​

CVE-2026-50326 does not warrant emergency isolation of every Windows endpoint on its own. It does warrant inclusion in the normal accelerated deployment path for July’s cumulative updates, especially on shared workstations, administrative jump boxes, developer systems, virtual desktop hosts, and servers where multiple users or service accounts can execute code.
Organizations should prioritize devices on which a low-privilege compromise would expose domain credentials, management tools, software-signing material, sensitive data, or privileged browser sessions. Server Core is not exempt: Microsoft explicitly lists Windows Server 2025 Server Core installations among the affected products.
Endpoint detection rules should also watch for unusual child processes, token changes, protected-resource access, service creation, scheduled tasks, and security-control modification following execution by an ordinary user. Those signals will not identify CVE-2026-50326 conclusively, but they can reveal the post-exploitation behavior expected after a successful privilege escalation.
There is no vendor-documented registry workaround, Group Policy mitigation, or UAC configuration change that replaces the security update. Disabling consent prompts would weaken the system’s security posture without repairing the memory-management defect.
For Windows 11 24H2 and 25H2, KB5101650 and builds 26100.8875 or 26200.8875 are the practical compliance targets. Windows Server 2025 administrators should verify KB5099536 and build 26100.33158, while Windows 10 operators must first confirm that their devices remain covered by LTSC, IoT, or ESU servicing. Until those build floors are visible in endpoint inventory, CVE-2026-50326 remains a viable second stage for any attacker who has already crossed the first boundary.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top