CVE-2026-50361: KB5101650 Fixes Windows 11 Privilege Escalation

Microsoft has fixed CVE-2026-50361, a high-severity elevation-of-privilege vulnerability in the Microsoft Brokering File System affecting Windows 11 24H2, Windows 11 25H2, selected Windows 11 26H1 devices, and Windows Server 2025. An authenticated local attacker could exploit the flaw to gain elevated privileges, potentially taking full control of a compromised machine.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 7.8. Microsoft’s assessment describes a low-complexity local attack that requires existing low-level privileges but no interaction from another user.
The practical response is straightforward: install the applicable cumulative update and verify that the resulting Windows build meets or exceeds Microsoft’s fixed-build threshold.

Cybersecurity graphic showing Windows updates mitigating a double-free privilege-escalation vulnerability.A Double Free Opens the Privilege Boundary​

CVE-2026-50361 is attributed to a double-free memory-management error in the Microsoft Brokering File System. The CVE record also associates it with a race condition, indicating that improper synchronization around a shared resource may permit the same memory allocation to be released more than once.
Double-free conditions can corrupt process memory and disrupt assumptions made by the operating system’s memory allocator. Depending on the affected component and the attacker’s control over timing and memory contents, that corruption may be turned into code execution at a more privileged security level.
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attack is local rather than network-based, requires a valid low-privilege foothold, has low attack complexity, and does not depend on a victim opening a file or clicking a prompt.
Successful exploitation can have a high impact on confidentiality, integrity, and availability. That combination is why a vulnerability that cannot be reached directly over the network still receives a 7.8 score: once exploited, it can allow an attacker to cross a critical Windows privilege boundary.
This is not an initial-access vulnerability. An attacker would first need to run code or obtain an account on the target. It becomes more dangerous when chained with phishing, credential theft, a browser sandbox escape, malicious software, or another weakness that provides limited local execution.

Windows 11 and Server 2025 Carry the Exposure​

The Microsoft-supplied CVE data identifies a relatively narrow set of current Windows releases. Older Windows 10 and Windows Server versions are not listed as affected in the initial record.
The affected and fixed-build boundaries are:
  • Windows 11 24H2 on x64 and Arm64 is affected before OS Build 26100.8875.
  • Windows 11 25H2 on x64 and Arm64 is affected before OS Build 26200.8875.
  • Windows 11 26H1 on x64 and Arm64 is affected before OS Build 28000.2269.
  • Windows Server 2025 is affected before OS Build 26100.33158.
  • Windows Server 2025 Server Core installations are affected before OS Build 26100.33158.
For Windows 11 24H2 and 25H2, the relevant July cumulative update is KB5101650, released July 14. Microsoft’s support documentation identifies the resulting builds as 26100.8875 and 26200.8875.
Windows Server 2025 receives the fix through KB5099536, which advances the operating system to Build 26100.33158. The same threshold applies to both Desktop Experience and Server Core installations.
The Windows 11 26H1 entry deserves closer attention. Microsoft’s CVE data places the fixed boundary at Build 28000.2269, a build already delivered through the June 2026 cumulative update KB5095051. That suggests supported 26H1 systems that installed June’s security update already contain the relevant correction, even though CVE-2026-50361 was not published until July 14.
Administrators should use the actual OS build rather than relying solely on whether an update installation was reported as successful. Running winver, querying inventory through Microsoft Intune or Configuration Manager, or checking CurrentBuildNumber and UBR in the Windows registry can confirm the installed revision.

Confirmed Does Not Mean Exploited​

The supplied “report confidence” language describes how much confidence exists in a vulnerability and its technical details. For CVE-2026-50361, the important distinction is between a vulnerability being confirmed by the vendor and evidence that attackers are exploiting it in the wild.
The National Vulnerability Database lists the issue as awaiting NVD enrichment, but it reproduces Microsoft’s description, affected-product data, CVSS score, and weakness classifications. CISA’s initial SSVC data records no known exploitation and considers automated exploitation unlikely, while rating the potential technical impact as total.
There was no indication in the initial public record that CVE-2026-50361 had been publicly disclosed before the patch or used in active attacks. No public proof-of-concept exploit was identified at publication time. That puts it below an actively exploited zero-day in immediate urgency, but it does not justify leaving exposed endpoints unpatched.
Publication itself changes the risk calculation. Attackers now have the component name, weakness class, affected builds, and patched binaries that can be compared with vulnerable versions. Patch comparison frequently supplies enough information for researchers—and eventually exploit developers—to narrow down the corrected code path.
The requirement for local access also should not be mistaken for a strong barrier inside enterprise environments. Commodity malware commonly begins under a standard user account and then searches for a privilege-escalation route capable of disabling security tools, accessing protected credentials, establishing persistence, or moving laterally.

Patch Deployment Has One Dell-Specific Complication​

KB5101650 is distributed through Windows Update, Windows Update for Business, Microsoft Intune, WSUS, and the Microsoft Update Catalog. Microsoft says it is not aware of general known issues with the cumulative update, but availability is being restricted for a limited number of Dell PCs with Intel processors.
According to Microsoft’s July release notes, Dell reported an incompatibility that can cause unexpected shutdowns, reduced performance, additional heat, and battery drain. Microsoft and Dell are using a safeguard hold to prevent the update from reaching affected models while they prepare a resolution.
That creates a temporary security-management problem for organizations with covered Dell hardware. Devices blocked from KB5101650 may remain below the CVE-2026-50361 fixed-build threshold, so administrators should not assume that a routine Windows Update scan means the vulnerability has been remediated.
For those systems, IT teams should identify the affected Dell models, monitor Microsoft’s release-health guidance, and avoid bypassing the safeguard without vendor approval. Compensating controls should focus on reducing local code execution opportunities, limiting interactive logons, enforcing application control, and monitoring attempts by ordinary user processes to obtain elevated tokens or launch privileged child processes.
Windows Server 2025 deployments should receive equal attention. Server Core reduces exposed user-interface components, but Microsoft explicitly lists Server Core as affected; it is not a mitigation for this flaw. KB5099536 is also a baseline update in the Server 2025 hotpatch calendar, meaning a restart may be required depending on the servicing configuration.
CVE-2026-50361 is therefore a conventional but consequential Patch Tuesday privilege-escalation issue: it needs an existing foothold, yet offers high impact after exploitation. The immediate milestone is measurable—Windows 11 systems should reach their listed fixed builds, and Windows Server 2025 should report Build 26100.33158—while Dell systems held back from KB5101650 remain the deployment exception administrators must track.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top