CVE-2026-50356: Install KB5101650 to Fix Windows App Store Privilege Escalation

CVE-2026-50356 is a newly patched Microsoft Windows App Store race-condition vulnerability that can let a locally authenticated attacker elevate privileges, potentially gaining broad control over an affected PC or server. Microsoft addressed the flaw in its July 14, 2026 security updates, making deployment of the corresponding Windows cumulative update the practical fix rather than simply checking the Microsoft Store for app updates.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, CVE-2026-50356 carries a CVSS 3.1 base score of 7.0, rated High by the scoring system and Important by Microsoft. The vulnerability affects supported Windows 10, Windows 11, and Windows Server releases, including Windows 11 versions 24H2, 25H2, and 26H1.
This is not a drive-by compromise or an unauthenticated network attack. Exploitation requires local access and existing low-level privileges, but it does not require another user to click a link, open a file, or approve a prompt.

Cybersecurity illustration showing AppX, locked data, threat threads, Windows shields, and a July 2026 Patch Tuesday update.A Race Condition Opens the Privilege Boundary​

Microsoft describes CVE-2026-50356 as concurrent execution involving a shared resource without proper synchronization, classified as CWE-362. In practical terms, the Windows App Store component does not reliably control the order in which certain operations access or modify the same resource.
An attacker who can trigger those operations at precisely the right time may be able to create a time-of-check to time-of-use condition. The system can validate one state and then act on a different state after the attacker changes the underlying resource during the narrow timing window.
Microsoft’s CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. That translates into several important deployment considerations:
  • The attack must be launched locally rather than directly across a network.
  • The attacker must already have a low-privileged account or another way to execute code on the machine.
  • Exploitation is considered high complexity because the race condition requires circumstances or timing that may not be consistently reproducible.
  • No separate user interaction is required once the attacker is in position.
  • A successful attack can have a high impact on confidentiality, integrity, and availability.
The National Vulnerability Database’s initial record says an authorized attacker can elevate privileges locally. It does not disclose the exact object being raced, the privileged process involved, or the final security context obtained after exploitation. Administrators should therefore avoid assuming the flaw is limited to Store-installed applications or consumer Microsoft accounts.
Race conditions are frequently less dependable than straightforward permission errors, but that does not make them harmless. Attackers can automate repeated attempts until the timing aligns, particularly when they already have code execution on a target and can afford to retry without attracting immediate attention.

The Fix Arrives Through Windows Servicing​

Despite the “Windows App Store” product name, the affected-version data points to a Windows operating-system update as the remediation path. Microsoft’s monthly cumulative updates raise each affected release to a build that is no longer listed as vulnerable.
For current Windows 11 deployments, the most relevant package is KB5101650. It updates Windows 11 version 24H2 to OS Build 26100.8875 and Windows 11 version 25H2 to OS Build 26200.8875. Microsoft says the package is available through Windows Update, Windows Update for Business, the Microsoft Update Catalog, and Windows Server Update Services.
Windows 11 version 26H1 is affected below Build 28000.2269. Older branches are also covered, including Windows 10 versions 1607, 1809, 21H2, and 22H2, although many ordinary Windows 10 installations are now outside their normal consumer support window and may require an applicable servicing channel or extended security arrangement.
The affected build thresholds published in the CVE record include:
  • Windows 10 versions 21H2 and 22H2 are affected below Builds 19044.7548 and 19045.7548, respectively.
  • Windows 11 version 24H2 is affected below Build 26100.8875.
  • Windows 11 version 25H2 is affected below Build 26200.8875.
  • Windows 11 version 26H1 is affected below Build 28000.2269.
  • Windows Server 2016 is affected below Build 14393.9339.
  • Windows Server 2019 is affected below Build 17763.9020.
  • Windows Server 2022 is affected below Build 20348.5386.
Windows Server 2025 and its Server Core installation are also included in the affected product data. The broad server coverage reinforces that administrators should treat “App Store” as the vulnerable Windows component’s name, not as evidence that servers without interactive Store use can be ignored.
For Windows Server 2022, Microsoft’s July package is KB5099540, taking the operating system to Build 20348.5386. As with the Windows 11 package, it is a cumulative update containing the month’s wider collection of security and quality fixes.

Store Updates Alone Are Not the Answer​

Microsoft distinguishes operating-system servicing from updates to applications distributed through the Microsoft Store. Windows cumulative updates do not generally update every Store application, while selecting “Get updates” in the Store does not substitute for installing the July Windows security update.
That distinction matters here because the vulnerable product name could send users toward the wrong update mechanism. Checking the Store library is sensible routine maintenance, but CVE-2026-50356 should be validated against the installed Windows build and July cumulative-update status.
On Windows 11, administrators can check the build by running winver, reviewing Settings under System and About, or querying managed endpoints through PowerShell, Microsoft Intune, Configuration Manager, or their vulnerability-management platform. Compliance rules should test for the applicable KB or the superseding OS build rather than merely checking whether the Microsoft Store application launches successfully.
CISA’s initial SSVC data recorded no known exploitation and assessed the vulnerability as not readily automatable. The technical impact was nevertheless marked total, reflecting the potential severity if exploitation succeeds. There is currently no public evidence in the NVD record that CVE-2026-50356 was being used in attacks when Microsoft released the fix on July 14.
That lowers the case for emergency isolation of otherwise healthy systems, but it does not justify postponing the update indefinitely. Local elevation vulnerabilities are commonly paired with phishing, malicious installers, browser flaws, exposed remote-management credentials, or other initial-access techniques. Once an attacker lands as a standard user, a reliable privilege-escalation path can turn a limited foothold into administrative control.

Administrators Still Need to Test the July Rollup​

CVE-2026-50356 is only one item in an unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft vulnerabilities addressed during the cycle, including multiple publicly disclosed or actively exploited issues. Organizations therefore have stronger reasons to deploy the rollup than this App Store flaw alone.
Testing remains important because the cumulative updates include security hardening and behavior changes beyond CVE-2026-50356. Microsoft has warned that applications using sockets over unregistered third-party TDI transports may stop working after updates released on or after July 14. Certain server configurations may also encounter a one-time BitLocker recovery prompt when an unrecommended PCR7 policy configuration is present.
The appropriate response is to validate the July packages against representative endpoints, confirm BitLocker recovery-key escrow for managed devices, and then move through normal expedited security-update rings. Systems that cannot be patched promptly should have local logon rights restricted, application control enforced, and unusual child processes or privilege changes associated with Store and AppX components investigated.
For most supported Windows 11 systems, the clean compliance target is straightforward: install KB5101650 or a later cumulative update and verify Build 26100.8875, 26200.8875, or newer as appropriate. The vulnerability’s high attack complexity may make exploitation less convenient, but leaving a known local route toward elevated privileges gives any attacker who already reaches the desktop another opportunity to take over the machine.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
  3. Official source: support.microsoft.com
 

Back
Top