CVE-2026-50346: Patch Windows Netlogon RPC Privilege Escalation

CVE-2026-50346, a newly disclosed Windows elevation-of-privilege vulnerability associated with Netlogon RPC, was patched in Microsoft’s July 14, 2026 security updates. Microsoft rates the flaw Important with a CVSS 3.1 score of 7.8, and administrators should treat it as a post-compromise privilege-escalation risk across supported Windows client and server releases.
The Microsoft Security Response Center published the vulnerability on July 14 as part of its monthly security release. Microsoft’s machine-readable CVE description identifies an improper-authorization weakness in the Windows RPC Runtime that allows an already authorized attacker to elevate privileges locally.
That wording establishes two important boundaries: this is not described as an unauthenticated attack from the internet, and exploitation requires an attacker to have some existing access to the target. It can nevertheless provide the step that turns a limited user foothold into control over a Windows system.

Enterprise Windows network infographic showing an AD domain controller, CVE threat, access escalation, and defenses.Local Access Does Not Make the Flaw Low Risk​

Microsoft assigned CVE-2026-50346 the CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attack is local, has low complexity, requires low privileges, and needs no interaction from another user.
Successful exploitation can have a high impact on confidentiality, integrity, and availability. That combination is typical of a vulnerability that becomes valuable after an attacker obtains an ordinary account through phishing, credential theft, an exposed remote-access service, or exploitation of another application.
The CVSS vector does not prove that exploitation grants SYSTEM privileges in every scenario, and Microsoft’s short public description does not document the precise security boundary crossed. It does, however, indicate that the resulting privilege level is powerful enough to justify maximum impact ratings across all three security objectives.
For defenders, CVE-2026-50346 should therefore be evaluated as part of an attack chain rather than in isolation. Endpoint protection may stop an initial payload, while credential controls may limit account access, but an unpatched local privilege-escalation flaw gives an intruder another route around those layers once code is running.
The absence of required user interaction also matters. An attacker would not need to persuade a second user to open a file, approve a prompt, or visit a malicious site after reaching the vulnerable machine.

The Affected List Spans Windows 10 Through Server 2025​

The CVE record covers a broad range of Windows versions, including current Windows 11 releases and multiple generations of Windows Server. The affected builds listed by Microsoft include:
  • Windows 11 version 24H2 builds earlier than 26100.8875.
  • Windows 11 version 25H2 builds earlier than 26200.8875.
  • Windows 11 version 26H1 builds earlier than 28000.2269.
  • Windows 10 version 22H2 builds earlier than 19045.7548.
  • Windows 10 version 21H2 builds earlier than 19044.7548.
  • Windows 10 version 1809 builds earlier than 17763.9020.
  • Windows 10 version 1607 builds earlier than 14393.9339.
  • Windows Server 2025 builds earlier than 26100.33158.
  • Windows Server 2022 builds earlier than 20348.5386.
  • Windows Server 2019 builds earlier than 17763.9020.
  • Windows Server 2016 builds earlier than 14393.9339.
  • Windows Server 2012 R2 builds earlier than 9600.23291.
  • Windows Server 2012 builds earlier than 9200.26226.
Server Core installations are explicitly represented for Windows Server 2012, 2012 R2, 2016, 2019, and 2025. That is relevant to organizations that assume removing the desktop experience also removes most local escalation exposure; Server Core reduces attack surface, but it does not eliminate vulnerabilities in foundational Windows services such as RPC.
Some Windows 10 and Windows Server versions in this list are available only under particular servicing or extended-security arrangements. Their appearance in the affected record should not be read as a change to Microsoft’s lifecycle policies. Organizations retaining those systems must verify that they have the appropriate update entitlement and that July’s package is actually offered through their servicing channel.
Administrators should validate deployment by build number rather than relying solely on an update-management console’s broad “compliant” state. Devices can appear generally up to date while missing a specific cumulative update because of applicability errors, servicing-stack trouble, pending restarts, or scan synchronization delays.

The Netlogon Name Needs Careful Reading​

The advisory title associates CVE-2026-50346 with Netlogon RPC, while the concise CVE description published through Microsoft and reproduced by the National Vulnerability Database refers more generally to “RPC Runtime.” Those labels are related but not interchangeable, and the initial public material does not provide enough technical detail to map the complete vulnerable call path.
Netlogon is especially sensitive in enterprise environments because it participates in secure communication between domain members and domain controllers. RPC, meanwhile, is a fundamental Windows communication mechanism used by many services. Administrators should avoid inferring from the title alone that the weakness can be exploited remotely against a domain controller or that it reproduces the behavior of earlier Netlogon vulnerabilities.
Microsoft’s CVSS assessment explicitly marks the attack vector as local. That is the stronger operational signal until Microsoft publishes additional technical details or revises the advisory.
The underlying weakness is categorized as CWE-285, Improper Authorization. This classification generally means software fails to enforce an intended authorization decision correctly, but it does not identify the vulnerable function, required token state, RPC interface, or exploit technique.
That limited disclosure raises the confidence that the vulnerability exists—Microsoft has acknowledged and patched it—without providing would-be attackers or defenders with a complete technical blueprint. The National Vulnerability Database was still awaiting its own enrichment when the record appeared, meaning Microsoft’s CNA assessment remained the principal public source for severity and affected-version data.

Domain Controllers Deserve the Fastest Deployment Window​

CVE-2026-50346 does not carry the network-access characteristics of a wormable Windows flaw, but domain controllers and other identity infrastructure should still sit near the front of the deployment queue. A local privilege-escalation vulnerability on an identity server becomes dangerous when paired with any route that lets an attacker execute code under a constrained account.
Security teams should first identify affected domain controllers, privileged access workstations, jump servers, Remote Desktop Session Hosts, and multi-user Windows systems. These machines offer either unusually valuable credentials or a greater chance that a low-privilege account can coexist with highly privileged activity.
Endpoints should follow through the normal accelerated security-update ring. Organizations that cannot patch immediately can reduce exposure by limiting interactive and remote logons, enforcing application control, monitoring unexpected processes launched under service contexts, and investigating attempts to manipulate RPC- or Netlogon-related services. Those controls are compensating measures, not replacements for the cumulative update.
There is no public technical evidence in the initial records that disabling Netlogon, blocking RPC broadly, or making an unsupported registry change safely mitigates CVE-2026-50346. Such actions could also disrupt domain authentication and Windows management. Administrators should avoid improvised workarounds unless Microsoft supplies explicit guidance.
The practical response is straightforward: deploy the July 14, 2026 cumulative updates, reboot where required, and confirm that every affected device has reached or exceeded Microsoft’s corrected build. With exploitation requiring only low privileges and no user interaction, patch completion—not update approval—is the milestone that closes this escalation path.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top