CVE-2026-50347: Install July Updates to Fix Windows Data.dll RCE

Microsoft has patched CVE-2026-50347, a high-severity code-execution vulnerability in Windows Data.dll that affects supported Windows 10, Windows 11, and Windows Server releases. The flaw carries a CVSS 3.1 score of 7.8 and can let an unauthorized attacker run code after convincing a user to interact with malicious content.
Detailed in the Microsoft Security Response Center’s July 14, 2026 advisory, the vulnerability is caused by a heap-based buffer overflow involving an integer overflow or wraparound. Microsoft has included the fix in the July 2026 cumulative security updates, making deployment the primary action for users and administrators.
Despite Microsoft’s “Remote Code Execution” title, this is not described as an unauthenticated, network-reachable attack against an exposed Windows service. Its CVSS vector specifies local access and required user interaction, an important distinction when prioritizing the patch alongside more readily exploitable July vulnerabilities.

Cybersecurity dashboard showing Windows updates, threat blocking, vulnerability protection, and server patch compliance.Data.dll Can Corrupt Memory During Local Processing​

Microsoft describes CVE-2026-50347 as a heap-based buffer overflow in Windows Data.dll. The associated weakness classifications are CWE-122, covering heap-based buffer overflows, and CWE-190, covering integer overflow or wraparound conditions.
An integer calculation error can cause software to allocate an incorrectly sized memory buffer. If attacker-controlled data is subsequently copied or processed using the wrong size, memory outside that buffer can be overwritten. Depending on the affected process and available mitigations, that corruption may cause a crash or permit execution of attacker-supplied code.
Microsoft’s CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, exploitation has low complexity and requires no existing privileges, but an attacker needs a local attack path and must persuade a user to perform an action.
A successful exploit could have a high impact on confidentiality, integrity, and availability. The code would execute within the security context of the process handling the malicious input, so the ultimate damage would depend partly on the privileges held by the targeted user or application.
The advisory does not publicly identify the exact file format, application workflow, or user action needed to reach the vulnerable Data.dll code. Administrators therefore should not assume that restricting one familiar attachment type or application is a sufficient workaround.

The RCE Label Does Not Mean Zero-Click Network Exploitation​

The vulnerability’s name may initially suggest that an attacker can send a packet to an unpatched PC or server and immediately execute code. Microsoft’s scoring data describes a more constrained route.
The AV:L rating means exploitation occurs through a local access path rather than directly across the network. The UI:R rating means another user must participate, such as by opening or processing malicious content. This fits a common Windows attack chain in which a file, archive, download, email attachment, or shared resource is delivered remotely but exploitation occurs only after local processing.
That distinction reduces exposure for unattended servers that do not routinely process untrusted content, but it does not make the vulnerability harmless. Phishing, compromised websites, collaboration platforms, and shared storage can all deliver content that eventually reaches a local Windows component.
CISA’s initial Stakeholder-Specific Vulnerability Categorization record reported no known exploitation and assessed the attack as not readily automatable. Microsoft’s July advisory also did not identify CVE-2026-50347 as publicly disclosed or exploited in the wild at publication time.
Those assessments represent the state of knowledge on July 14, not a guarantee that exploitation will remain impractical. Microsoft has confirmed the vulnerability and released production fixes, while the disclosed weakness classes give researchers and attackers useful direction for patch analysis.

Supported Client and Server Releases Need the July Builds​

The affected range spans legacy Windows deployments and Microsoft’s current client and server platforms. Systems below the following fixed build levels remain vulnerable according to Microsoft’s CVE data:
  • Windows 10 version 1607 and Windows Server 2016 must reach build 14393.9339 or later.
  • Windows 10 version 1809 and Windows Server 2019 must reach build 17763.9020 or later.
  • Windows 10 versions 21H2 and 22H2 must reach builds 19044.7548 and 19045.7548 respectively.
  • Windows 11 versions 24H2 and 25H2 must reach builds 26100.8875 and 26200.8875 respectively.
  • Windows 11 version 26H1 must reach build 28000.2269 or later.
  • Windows Server 2012 must reach build 9200.26226, while Windows Server 2012 R2 must reach build 9600.23291.
  • Windows Server 2022 must reach build 20348.5386 or later.
  • Windows Server 2025 must reach build 26100.33158 or later.
Server Core installations are affected where Microsoft lists them, including Windows Server 2012, 2012 R2, 2016, 2019, and 2025. That breadth indicates the vulnerable component is part of the underlying Windows servicing footprint rather than an optional desktop-only application.
For Windows 10 versions 21H2 and 22H2, the relevant July cumulative update is KB5099539, which advances those systems to OS builds 19044.7548 and 19045.7548. Windows Server 2022 receives build 20348.5386 through KB5099540. Other affected versions have their own July servicing packages and should be matched against Microsoft’s deployment information rather than relying on a similarly numbered update intended for another release.
Administrators can check client builds with winver, PowerShell, endpoint-management inventory, or the operating-system build fields exposed through Microsoft Intune, Configuration Manager, and other asset platforms. Update compliance should be measured against the fixed build number, not simply whether a device reports that it checked for updates.

Patch Priority Depends on How Systems Handle Untrusted Data​

CVE-2026-50347 is not known to be under active attack, and its required user interaction makes it less urgent than a zero-click, remotely reachable server vulnerability. It nevertheless deserves timely deployment because it offers code execution without requiring the attacker to possess an account or existing privileges.
Workstations used for email, web browsing, downloads, document handling, development, and support operations have the clearest exposure. Shared terminal servers, virtual desktop infrastructure, jump hosts, and administrative workstations also warrant attention because users may process content there while holding access to sensitive systems.
For servers, administrators should consider workload rather than relying solely on the local attack-vector classification. A server that imports customer files, processes uploaded data, runs interactive desktop applications, or hosts user sessions may provide the interaction path needed to reach Data.dll.
Organizations unable to install the July update immediately should reduce opportunities for users to open untrusted content, apply attachment and download controls, and avoid routine use of privileged accounts for interactive work. Those measures can narrow the attack path, but Microsoft has not documented a complete workaround that replaces the security update.
The immediate operational target is straightforward: deploy the July 14 cumulative updates, restart where required, and verify that every affected endpoint has reached its listed fixed build. With no public exploit or observed exploitation reported at release, administrators have a window to patch through normal expedited procedures—but the low-complexity memory corruption means that window should not be treated as indefinite.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top