Microsoft has patched CVE-2026-50345, an Important-rated Windows Runtime elevation-of-privilege vulnerability affecting Windows 11 versions 24H2, 25H2, and 26H1, along with Windows Server 2025. Administrators running Windows 11 24H2 or 25H2 should deploy the July 14, 2026 cumulative update KB5101650 and verify that endpoints have reached builds 26100.8875 or 26200.8875.
Detailed in Microsoft’s Security Update Guide and published with the July 2026 Patch Tuesday release, the flaw is a local privilege-escalation issue caused by improper synchronization during concurrent access to a shared resource. The National Vulnerability Database lists both CWE-362, a race condition, and CWE-416, a use-after-free condition.
Microsoft assigned CVE-2026-50345 a CVSS 3.1 base score of 7.0. The vulnerability was not identified as publicly disclosed or exploited when the July updates were released, according to Microsoft data compiled by the SANS Internet Storm Center.
CVE-2026-50345 is not a remote entry point. Its CVSS vector,
That sharply separates this vulnerability from a remotely exploitable flaw in a network-facing Windows service. An attacker cannot simply target an exposed IP address and use CVE-2026-50345 as the first step into a machine.
The security boundary still matters once an attacker has obtained an ordinary account or found another way to execute code. Successful exploitation could elevate that foothold, giving the attacker extensive control over confidentiality, integrity, and availability on the affected system. In practical terms, a privilege-escalation bug can turn a constrained compromise into an administrative one.
Microsoft describes the underlying problem as concurrent execution against a shared resource without proper synchronization. A race condition arises when security-sensitive behavior depends on which of two or more operations completes first. Attackers attempt to manipulate that timing so the program reaches a state its developers did not intend.
The accompanying use-after-free classification indicates that memory may remain accessible after the program considers it released. Race conditions and use-after-free bugs can be difficult to exploit reliably because timing, memory layout, processor scheduling, and background activity may all affect the result. That complexity is reflected in the vector’s
High complexity is not the same as low impact. Once exploit developers find a repeatable sequence, automation can reduce a timing-sensitive attack to a tool that is far easier to use than the original research process.
The version thresholds recorded by Microsoft and carried into the National Vulnerability Database are:
The Windows 11 26H1 threshold requires closer reading. Build 28000.2269 corresponds to KB5095051, which Microsoft released on June 9, 2026. That means a 26H1 machine already carrying the June cumulative security update meets the version threshold listed for this CVE, even though Microsoft published the vulnerability record on July 14.
This distinction matters for compliance scanners and vulnerability-management systems. A newly published CVE does not always imply that every affected branch first received its correction on the CVE publication date. Administrators should evaluate installed build numbers and Microsoft’s applicability metadata rather than assuming that the month printed on the advisory maps to an identically dated package across every Windows servicing branch.
Windows Server 2025 also needs separate validation because its servicing build sequence differs from the Windows 11 client line despite sharing the 26100 base. Server Core is explicitly listed, so removing the desktop shell does not remove exposure to this Windows Runtime flaw.
That distinction is easy to miss when scanning a long Security Update Guide entry. Severity, exploitability, and confidence answer different questions:
The available description remains sparse. Microsoft has not publicly identified the exact Windows Runtime service, process, API, or triggering operation involved. There is also no public proof of concept attached to the initial record. That limits defensive opportunities outside installing the corrected cumulative update: there is no documented registry workaround, service-disablement strategy, or narrowly defined telemetry pattern that administrators can safely use as a substitute.
Shared workstations, developer PCs, virtual desktop infrastructure, jump hosts, and systems permitting interactive access deserve particular attention. Windows Server 2025 systems that allow multiple administrators, application operators, or other delegated users also present a more useful target than tightly controlled servers with no routine local sign-in.
Security teams should search inventory data for the affected product and build combinations, then use the installed OS revision as the primary confirmation. On Windows 11 24H2 and 25H2,
The normal staged-deployment process still applies because KB5101650 is a full cumulative update rather than a standalone fix for CVE-2026-50345. Microsoft’s July package also introduces networking and Remote Desktop hardening changes and carries the quality improvements from June’s optional preview. Enterprises should test those broader changes, but delaying the package indefinitely leaves the Windows Runtime privilege boundary exposed.
For most managed Windows 11 fleets, the actionable line is straightforward: deploy KB5101650, confirm the final build rather than relying only on a successful installation status, and investigate machines that remain below 26100.8875 or 26200.8875. Windows 11 26H1 devices should be at least build 28000.2269, while Windows Server 2025 requires validation against its separate 26100.33158 threshold.
Detailed in Microsoft’s Security Update Guide and published with the July 2026 Patch Tuesday release, the flaw is a local privilege-escalation issue caused by improper synchronization during concurrent access to a shared resource. The National Vulnerability Database lists both CWE-362, a race condition, and CWE-416, a use-after-free condition.
Microsoft assigned CVE-2026-50345 a CVSS 3.1 base score of 7.0. The vulnerability was not identified as publicly disclosed or exploited when the July updates were released, according to Microsoft data compiled by the SANS Internet Storm Center.
A Local Foothold Is Required, but the Payoff Is High
CVE-2026-50345 is not a remote entry point. Its CVSS vector, CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, says an attacker must already have local access and low-level privileges, while successful exploitation requires no interaction from another user.That sharply separates this vulnerability from a remotely exploitable flaw in a network-facing Windows service. An attacker cannot simply target an exposed IP address and use CVE-2026-50345 as the first step into a machine.
The security boundary still matters once an attacker has obtained an ordinary account or found another way to execute code. Successful exploitation could elevate that foothold, giving the attacker extensive control over confidentiality, integrity, and availability on the affected system. In practical terms, a privilege-escalation bug can turn a constrained compromise into an administrative one.
Microsoft describes the underlying problem as concurrent execution against a shared resource without proper synchronization. A race condition arises when security-sensitive behavior depends on which of two or more operations completes first. Attackers attempt to manipulate that timing so the program reaches a state its developers did not intend.
The accompanying use-after-free classification indicates that memory may remain accessible after the program considers it released. Race conditions and use-after-free bugs can be difficult to exploit reliably because timing, memory layout, processor scheduling, and background activity may all affect the result. That complexity is reflected in the vector’s
AC:H, or high attack complexity, rating.High complexity is not the same as low impact. Once exploit developers find a repeatable sequence, automation can reduce a timing-sensitive attack to a tool that is far easier to use than the original research process.
The Supported Windows Builds That Need Attention
Microsoft’s CVE record identifies a narrower product set than the generic “Windows Runtime” name might suggest. The affected releases are current Windows 11 platforms and Windows Server 2025 rather than every supported Windows generation.The version thresholds recorded by Microsoft and carried into the National Vulnerability Database are:
- Windows 11 version 24H2 on x64 and Arm64 is affected below build 26100.8875.
- Windows 11 version 25H2 on x64 and Arm64 is affected below build 26200.8875.
- Windows 11 version 26H1 on x64 and Arm64 is affected below build 28000.2269.
- Windows Server 2025 and its Server Core installation are affected below build 26100.33158.
The Windows 11 26H1 threshold requires closer reading. Build 28000.2269 corresponds to KB5095051, which Microsoft released on June 9, 2026. That means a 26H1 machine already carrying the June cumulative security update meets the version threshold listed for this CVE, even though Microsoft published the vulnerability record on July 14.
This distinction matters for compliance scanners and vulnerability-management systems. A newly published CVE does not always imply that every affected branch first received its correction on the CVE publication date. Administrators should evaluate installed build numbers and Microsoft’s applicability metadata rather than assuming that the month printed on the advisory maps to an identically dated package across every Windows servicing branch.
Windows Server 2025 also needs separate validation because its servicing build sequence differs from the Windows 11 client line despite sharing the 26100 base. Server Core is explicitly listed, so removing the desktop shell does not remove exposure to this Windows Runtime flaw.
Confidence Is Not a Second Severity Score
The confidence text shown in Microsoft’s advisory describes the CVSS Report Confidence metric. It measures how certain the vendor is that the vulnerability exists and how much credible technical information supports the assessment. It does not measure the damage an exploit could cause, nor does it indicate that exploitation has been observed.That distinction is easy to miss when scanning a long Security Update Guide entry. Severity, exploitability, and confidence answer different questions:
- The 7.0 base score measures the vulnerability’s inherent technical characteristics.
- Attack complexity describes the conditions needed to exploit it.
- Report confidence reflects the quality and certainty of the available evidence.
- Public disclosure and exploitation status describe what is known about activity outside Microsoft.
The available description remains sparse. Microsoft has not publicly identified the exact Windows Runtime service, process, API, or triggering operation involved. There is also no public proof of concept attached to the initial record. That limits defensive opportunities outside installing the corrected cumulative update: there is no documented registry workaround, service-disablement strategy, or narrowly defined telemetry pattern that administrators can safely use as a substitute.
Patch Priority Depends on Where Local Access Starts
CVE-2026-50345 should be treated as a post-compromise escalation path rather than an Internet perimeter emergency. That does not make it optional. Privilege-escalation flaws are frequently valuable in attack chains because phishing payloads, browser exploits, malicious documents, and compromised credentials often begin execution without full administrative rights.Shared workstations, developer PCs, virtual desktop infrastructure, jump hosts, and systems permitting interactive access deserve particular attention. Windows Server 2025 systems that allow multiple administrators, application operators, or other delegated users also present a more useful target than tightly controlled servers with no routine local sign-in.
Security teams should search inventory data for the affected product and build combinations, then use the installed OS revision as the primary confirmation. On Windows 11 24H2 and 25H2,
winver, Settings, PowerShell inventory, Intune, Configuration Manager, or an endpoint-management platform should report build 26100.8875 or 26200.8875 after KB5101650 is installed successfully.The normal staged-deployment process still applies because KB5101650 is a full cumulative update rather than a standalone fix for CVE-2026-50345. Microsoft’s July package also introduces networking and Remote Desktop hardening changes and carries the quality improvements from June’s optional preview. Enterprises should test those broader changes, but delaying the package indefinitely leaves the Windows Runtime privilege boundary exposed.
For most managed Windows 11 fleets, the actionable line is straightforward: deploy KB5101650, confirm the final build rather than relying only on a successful installation status, and investigate machines that remain below 26100.8875 or 26200.8875. Windows 11 26H1 devices should be at least build 28000.2269, while Windows Server 2025 requires validation against its separate 26100.33158 threshold.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org