CVE-2026-50335 is a high-severity Windows elevation-of-privilege vulnerability fixed in Microsoft’s July 14, 2026 security updates. The flaw affects supported Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025 releases, giving administrators another reason to prioritize this month’s cumulative updates.
Detailed in Microsoft’s Security Update Guide, the vulnerability stems from improper access control in Windows. An attacker who already has limited access to a machine could exploit the flaw locally to obtain substantially greater privileges, potentially taking complete control of the affected system.
Microsoft rates CVE-2026-50335 as Important, while its CVSS 3.1 base score of 7.8 places it in the High severity range. The company’s exploitability assessment says exploitation is less likely, and Microsoft reported neither active exploitation nor public disclosure when the advisory was published.
CVE-2026-50335 is not a remotely exploitable, pre-authentication vulnerability. Its CVSS vector indicates that an attacker must execute the attack locally and already possess low-level privileges. No additional user interaction is required, and Microsoft describes the attack complexity as low.
Those constraints limit the initial attack surface, but they do not make the flaw harmless. Elevation-of-privilege vulnerabilities are commonly used after an attacker has obtained an ordinary user account through phishing, credential theft, a malicious application, or exploitation of a separate remote vulnerability.
The reported security impact is high across confidentiality, integrity, and availability. In practical terms, successful exploitation could let an attacker cross a Windows security boundary, access protected information, modify system resources, install persistent malware, interfere with security controls, or disrupt the machine.
Microsoft associates CVE-2026-50335 with CWE-284, Improper Access Control. That broad classification means Windows failed to enforce an intended restriction around a protected resource or operation, although the public advisory does not identify the specific Windows component, service, API, or object involved.
The absence of component-level detail reduces immediate exposure to copy-and-paste exploitation, but it also leaves defenders with little telemetry specific to this vulnerability. There is no process name, event ID, registry path, driver, or service behavior that administrators can use as a reliable CVE-specific detection signal.
It does not mean Microsoft has observed attackers exploiting CVE-2026-50335. The July 14 advisory lists the vulnerability as not publicly disclosed and not exploited, while assigning “Exploitation Less Likely” to Microsoft’s latest supported software releases.
These measurements answer different questions:
Administrators should therefore avoid describing this particular flaw as actively exploited. Its urgency comes instead from the breadth of affected Windows releases, the low-complexity local attack path, and the severe outcome once an attacker has secured an initial foothold.
The principal patched builds include:
Windows 10 also requires lifecycle awareness. Windows 10 version 22H2 reached the end of free support on October 14, 2025, so ordinary consumer and unmanaged installations need enrollment in Extended Security Updates to continue receiving fixes such as KB5099539. Windows 10 Enterprise LTSC 2019, Enterprise LTSC 2021, and qualifying IoT editions remain covered according to their separate lifecycle dates.
Updates are available through Windows Update, Windows Update for Business, Microsoft Update Catalog, and Windows Server Update Services where supported. Managed environments should verify successful installation by checking the resulting OS build rather than relying only on an update deployment status of “installed.”
That creates compatibility considerations for enterprise rollouts. Applications using sockets over unregistered third-party TDI transports may stop working after the July updates, while older Remote Desktop publishing workflows that still depend on SHA-1 thumbprints should be moved toward SHA-256 or stronger algorithms.
Microsoft has also documented a BitLocker recovery scenario affecting a limited subset of managed systems with an unrecommended Group Policy configuration. The condition involves OS-drive BitLocker, explicit PCR7 validation settings, a system reporting that PCR7 binding is not possible, and deployment of the Windows UEFI CA 2023 certificate. Administrators managing such configurations should review BitLocker policy and ensure recovery keys are available before broad deployment.
Those issues justify staged validation, but not an indefinite delay. CVE-2026-50335 provides a low-complexity route from limited local access to a high-impact compromise, exactly the type of vulnerability that becomes more dangerous when chained with phishing, stolen credentials, or another initial-access bug.
Security teams should deploy the July 14 cumulative update to representative Windows client and server rings, validate line-of-business networking and BitLocker behavior, and then expand the rollout. The concrete completion check is straightforward: affected machines should be running the July 2026 build for their Windows branch, with unsupported Windows 10 systems either covered by ESU or removed from production use.
Detailed in Microsoft’s Security Update Guide, the vulnerability stems from improper access control in Windows. An attacker who already has limited access to a machine could exploit the flaw locally to obtain substantially greater privileges, potentially taking complete control of the affected system.
Microsoft rates CVE-2026-50335 as Important, while its CVSS 3.1 base score of 7.8 places it in the High severity range. The company’s exploitability assessment says exploitation is less likely, and Microsoft reported neither active exploitation nor public disclosure when the advisory was published.
A Local Foothold Could Become Full Control
CVE-2026-50335 is not a remotely exploitable, pre-authentication vulnerability. Its CVSS vector indicates that an attacker must execute the attack locally and already possess low-level privileges. No additional user interaction is required, and Microsoft describes the attack complexity as low.Those constraints limit the initial attack surface, but they do not make the flaw harmless. Elevation-of-privilege vulnerabilities are commonly used after an attacker has obtained an ordinary user account through phishing, credential theft, a malicious application, or exploitation of a separate remote vulnerability.
The reported security impact is high across confidentiality, integrity, and availability. In practical terms, successful exploitation could let an attacker cross a Windows security boundary, access protected information, modify system resources, install persistent malware, interfere with security controls, or disrupt the machine.
Microsoft associates CVE-2026-50335 with CWE-284, Improper Access Control. That broad classification means Windows failed to enforce an intended restriction around a protected resource or operation, although the public advisory does not identify the specific Windows component, service, API, or object involved.
The absence of component-level detail reduces immediate exposure to copy-and-paste exploitation, but it also leaves defenders with little telemetry specific to this vulnerability. There is no process name, event ID, registry path, driver, or service behavior that administrators can use as a reliable CVE-specific detection signal.
“Confirmed” Does Not Mean Exploited
The report-confidence text displayed in Microsoft’s advisory can be easy to misread. A Confirmed rating means Microsoft or other authoritative evidence has verified that the vulnerability exists and that the available technical assessment is credible.It does not mean Microsoft has observed attackers exploiting CVE-2026-50335. The July 14 advisory lists the vulnerability as not publicly disclosed and not exploited, while assigning “Exploitation Less Likely” to Microsoft’s latest supported software releases.
These measurements answer different questions:
- Report confidence indicates whether the vulnerability and its technical basis have been confirmed.
- The exploitability assessment estimates the likelihood that reliable attack code will be developed and used.
- The publicly disclosed field indicates whether vulnerability details were available before the update.
- The exploited field reflects Microsoft’s knowledge of real-world attacks.
Administrators should therefore avoid describing this particular flaw as actively exploited. Its urgency comes instead from the breadth of affected Windows releases, the low-complexity local attack path, and the severe outcome once an attacker has secured an initial foothold.
The Fix Arrives Through Windows Cumulative Updates
Microsoft addressed CVE-2026-50335 through the regular July cumulative updates rather than a standalone package. Installing the applicable cumulative update also brings in the rest of that operating system’s July security fixes and quality changes.The principal patched builds include:
- Windows 10 versions 21H2 and 22H2 receive KB5099539, moving to builds 19044.7548 and 19045.7548.
- Windows 10 version 1809 and Windows Server 2019 receive KB5099538, moving to build 17763.9020.
- Windows 11 versions 24H2 and 25H2 receive KB5101650, moving to builds 26100.8875 and 26200.8875.
- Windows 11 version 26H1 receives KB5101649, moving to build 28000.2525.
- Windows Server 2022 receives KB5099540, moving to build 20348.5386.
- Windows Server 2025 receives KB5099536, moving to build 26100.33158.
Windows 10 also requires lifecycle awareness. Windows 10 version 22H2 reached the end of free support on October 14, 2025, so ordinary consumer and unmanaged installations need enrollment in Extended Security Updates to continue receiving fixes such as KB5099539. Windows 10 Enterprise LTSC 2019, Enterprise LTSC 2021, and qualifying IoT editions remain covered according to their separate lifecycle dates.
Updates are available through Windows Update, Windows Update for Business, Microsoft Update Catalog, and Windows Server Update Services where supported. Managed environments should verify successful installation by checking the resulting OS build rather than relying only on an update deployment status of “installed.”
Patch Testing Still Matters This Month
The July cumulative updates contain more than the CVE-2026-50335 fix. Microsoft also introduced security hardening around third-party Transport Driver Interface transports, expanded SHA-2 support for trusted Remote Desktop publisher certificates, and continued deployment work related to newer Secure Boot certificates.That creates compatibility considerations for enterprise rollouts. Applications using sockets over unregistered third-party TDI transports may stop working after the July updates, while older Remote Desktop publishing workflows that still depend on SHA-1 thumbprints should be moved toward SHA-256 or stronger algorithms.
Microsoft has also documented a BitLocker recovery scenario affecting a limited subset of managed systems with an unrecommended Group Policy configuration. The condition involves OS-drive BitLocker, explicit PCR7 validation settings, a system reporting that PCR7 binding is not possible, and deployment of the Windows UEFI CA 2023 certificate. Administrators managing such configurations should review BitLocker policy and ensure recovery keys are available before broad deployment.
Those issues justify staged validation, but not an indefinite delay. CVE-2026-50335 provides a low-complexity route from limited local access to a high-impact compromise, exactly the type of vulnerability that becomes more dangerous when chained with phishing, stolen credentials, or another initial-access bug.
Security teams should deploy the July 14 cumulative update to representative Windows client and server rings, validate line-of-business networking and BitLocker behavior, and then expand the rollout. The concrete completion check is straightforward: affected machines should be running the July 2026 build for their Windows branch, with unsupported Windows 10 systems either covered by ESU or removed from production use.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org