Microsoft has fixed CVE-2026-50354, a Windows Kernel use-after-free vulnerability that can let a locally authenticated attacker elevate privileges. The flaw carries a CVSS 3.1 score of 7.1 and affects supported Windows 10, Windows 11, and Windows Server releases, making the July 14, 2026 security updates the practical remedy for most installations.
Detailed in Microsoft’s Security Update Guide and published as part of the July 2026 Patch Tuesday release, CVE-2026-50354 is rated Important rather than Critical. Microsoft’s assessment indicates that exploitation requires local access and low privileges, but does not require user interaction once those conditions are met.
The National Vulnerability Database describes the underlying weakness as CWE-416, or use after free. Microsoft has not publicly documented the vulnerable kernel function, the precise memory-management sequence involved, or a reliable workaround that would substitute for installing the security update.
A use-after-free vulnerability occurs when software continues to access memory after that memory has been released. If an attacker can influence what subsequently occupies the freed memory, the stale reference may be turned into memory corruption and, in some cases, controlled execution.
That risk is particularly significant inside the Windows kernel. Successful exploitation can allow code already running under a restricted account to cross a security boundary and gain more powerful privileges, potentially including SYSTEM-level control depending on the exploit chain.
The CVSS vector assigned by Microsoft is
Microsoft assigns no direct confidentiality impact in that vector, but rates the potential integrity and availability effects as High. An attacker who successfully elevates privileges could modify protected system resources, interfere with security software, install persistent components, or disrupt the machine.
This is not a vulnerability that can be triggered directly over the network on an otherwise inaccessible PC. It is more useful as a second-stage privilege-escalation tool after an attacker has gained an initial foothold through phishing, credential theft, a malicious download, an exposed service, or another vulnerability.
Affected releases include:
For Windows 11 versions 24H2 and 25H2, Microsoft delivers the fix through KB5101650. Installing that cumulative update moves Windows 11 24H2 to OS Build 26100.8875 and Windows 11 25H2 to OS Build 26200.8875.
Windows 10 version 22H2 and version 21H2 receive KB5099539 under supported ESU and LTSC configurations, advancing those branches to builds 19045.7548 and 19044.7548 respectively. The corresponding fixed thresholds for older branches include build 14393.9339 for Windows 10 version 1607 and Windows Server 2016, and build 17763.9020 for Windows 10 version 1809 and Windows Server 2019.
Windows Server 2022 is protected at build 20348.5386 or later, delivered through KB5099540. Windows Server 2025 is listed as fixed at build 26100.33158 or later through KB5099536.
Administrators should validate the installed OS build rather than relying only on whether Windows Update reports that a recent cumulative update was installed. Different Windows servicing branches can use different KB packages, while deployment tools may report installation state before a restart has completed the replacement of kernel components.
That lowers the immediate urgency compared with an actively exploited zero-day, but it does not make the flaw low priority. Local elevation-of-privilege vulnerabilities are routinely paired with initial-access techniques because malware frequently begins execution with the rights of the compromised user.
The low-complexity rating is especially relevant for shared systems, remote desktop hosts, developer workstations, jump boxes, and servers where multiple users or service identities can run code. On those systems, the requirement for prior local access may already be satisfied by normal operating conditions.
Public technical detail is limited at release. There is no vendor-published proof of concept, no documented vulnerable kernel interface, and no confirmed exploit chain that administrators can convert into a dependable detection rule. Microsoft’s report-confidence assessment indicates that the vulnerability itself is confirmed, not that exploit code is necessarily circulating.
Endpoint monitoring can still help detect behavior surrounding an attempted compromise. Security teams should investigate unexpected child processes from user-writable directories, suspicious driver activity, changes to protected services, security-tool tampering, and unusual processes obtaining SYSTEM privileges. Those indicators are not specific to CVE-2026-50354, but they can expose the activity an attacker would perform after successful elevation.
For enterprise deployments, the sensible order is to test the July cumulative updates against security agents, storage software, virtualization tooling, and other products that install kernel-mode components. Deployment should then move quickly through workstation and server rings, with internet-facing management systems and multi-user hosts receiving particular attention.
Administrators should verify that systems have reached at least the fixed build for their servicing branch and that any required restart has taken place. Vulnerability scanners may continue to flag a machine when an update is staged but its patched kernel has not yet loaded.
The July updates also contain other security fixes and platform changes, so normal compatibility testing remains necessary. Microsoft says it is not currently aware of issues with KB5101650 or KB5099539, although that status can change as deployment expands across different hardware and enterprise configurations.
CVE-2026-50354 is not a remote, unauthenticated compromise by itself, and there was no evidence of active exploitation at publication. Its value to an attacker comes after initial access, when control of the Windows kernel can turn a constrained intrusion into full machine compromise; reaching the July 14, 2026 fixed build is therefore the only reliable way to close that path.
Detailed in Microsoft’s Security Update Guide and published as part of the July 2026 Patch Tuesday release, CVE-2026-50354 is rated Important rather than Critical. Microsoft’s assessment indicates that exploitation requires local access and low privileges, but does not require user interaction once those conditions are met.
The National Vulnerability Database describes the underlying weakness as CWE-416, or use after free. Microsoft has not publicly documented the vulnerable kernel function, the precise memory-management sequence involved, or a reliable workaround that would substitute for installing the security update.
A Local Flaw With System-Level Consequences
A use-after-free vulnerability occurs when software continues to access memory after that memory has been released. If an attacker can influence what subsequently occupies the freed memory, the stale reference may be turned into memory corruption and, in some cases, controlled execution.That risk is particularly significant inside the Windows kernel. Successful exploitation can allow code already running under a restricted account to cross a security boundary and gain more powerful privileges, potentially including SYSTEM-level control depending on the exploit chain.
The CVSS vector assigned by Microsoft is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. In practical terms, an attacker needs local execution and an existing low-privilege account, while the attack is considered low complexity and requires no additional action from another user.Microsoft assigns no direct confidentiality impact in that vector, but rates the potential integrity and availability effects as High. An attacker who successfully elevates privileges could modify protected system resources, interfere with security software, install persistent components, or disrupt the machine.
This is not a vulnerability that can be triggered directly over the network on an otherwise inaccessible PC. It is more useful as a second-stage privilege-escalation tool after an attacker has gained an initial foothold through phishing, credential theft, a malicious download, an exposed service, or another vulnerability.
Supported Windows Generations Share the Exposure
Microsoft’s affected-product record spans both client and server editions. The breadth reflects the flaw’s location in the Windows kernel rather than an optional application or narrowly deployed server role.Affected releases include:
- Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected where those releases remain eligible for servicing.
- Windows 11 versions 24H2, 25H2, and 26H1 are affected on x64 and Arm64 systems.
- Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected.
- Server Core installations are affected where Microsoft lists them separately for the corresponding Windows Server release.
For Windows 11 versions 24H2 and 25H2, Microsoft delivers the fix through KB5101650. Installing that cumulative update moves Windows 11 24H2 to OS Build 26100.8875 and Windows 11 25H2 to OS Build 26200.8875.
Windows 10 version 22H2 and version 21H2 receive KB5099539 under supported ESU and LTSC configurations, advancing those branches to builds 19045.7548 and 19044.7548 respectively. The corresponding fixed thresholds for older branches include build 14393.9339 for Windows 10 version 1607 and Windows Server 2016, and build 17763.9020 for Windows 10 version 1809 and Windows Server 2019.
Windows Server 2022 is protected at build 20348.5386 or later, delivered through KB5099540. Windows Server 2025 is listed as fixed at build 26100.33158 or later through KB5099536.
Administrators should validate the installed OS build rather than relying only on whether Windows Update reports that a recent cumulative update was installed. Different Windows servicing branches can use different KB packages, while deployment tools may report installation state before a restart has completed the replacement of kernel components.
No Active Exploitation Reported, but the Attack Path Is Familiar
Microsoft and the Zero Day Initiative did not classify CVE-2026-50354 as publicly disclosed or exploited in the wild when the July updates were released. CISA’s initial SSVC assessment also recorded no known exploitation and judged the vulnerability not readily automatable.That lowers the immediate urgency compared with an actively exploited zero-day, but it does not make the flaw low priority. Local elevation-of-privilege vulnerabilities are routinely paired with initial-access techniques because malware frequently begins execution with the rights of the compromised user.
The low-complexity rating is especially relevant for shared systems, remote desktop hosts, developer workstations, jump boxes, and servers where multiple users or service identities can run code. On those systems, the requirement for prior local access may already be satisfied by normal operating conditions.
Public technical detail is limited at release. There is no vendor-published proof of concept, no documented vulnerable kernel interface, and no confirmed exploit chain that administrators can convert into a dependable detection rule. Microsoft’s report-confidence assessment indicates that the vulnerability itself is confirmed, not that exploit code is necessarily circulating.
Endpoint monitoring can still help detect behavior surrounding an attempted compromise. Security teams should investigate unexpected child processes from user-writable directories, suspicious driver activity, changes to protected services, security-tool tampering, and unusual processes obtaining SYSTEM privileges. Those indicators are not specific to CVE-2026-50354, but they can expose the activity an attacker would perform after successful elevation.
The Cumulative Update Is the Security Boundary
Microsoft has not published a configuration-based mitigation that removes exposure while retaining normal Windows kernel functionality. Restricting interactive logon, application execution, Remote Desktop access, and local account use can reduce opportunities for an attacker, but those controls do not correct the memory-safety defect.For enterprise deployments, the sensible order is to test the July cumulative updates against security agents, storage software, virtualization tooling, and other products that install kernel-mode components. Deployment should then move quickly through workstation and server rings, with internet-facing management systems and multi-user hosts receiving particular attention.
Administrators should verify that systems have reached at least the fixed build for their servicing branch and that any required restart has taken place. Vulnerability scanners may continue to flag a machine when an update is staged but its patched kernel has not yet loaded.
The July updates also contain other security fixes and platform changes, so normal compatibility testing remains necessary. Microsoft says it is not currently aware of issues with KB5101650 or KB5099539, although that status can change as deployment expands across different hardware and enterprise configurations.
CVE-2026-50354 is not a remote, unauthenticated compromise by itself, and there was no evidence of active exploitation at publication. Its value to an attacker comes after initial access, when control of the Windows kernel can turn a constrained intrusion into full machine compromise; reaching the July 14, 2026 fixed build is therefore the only reliable way to close that path.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org