CVE-2026-50364 is a high-severity Windows Backup Service elevation-of-privilege vulnerability fixed in Microsoft’s July 14, 2026 security updates. Administrators should prioritize the cumulative updates for affected Windows 10 and Windows 11 systems, particularly shared endpoints where an attacker could already obtain a low-privilege account.
Microsoft’s Security Response Center describes the flaw as improper link resolution before file access in Windows Server Backup. The vulnerability carries a CVSS 3.1 base score of 7.3 and could allow an authorized local attacker to gain elevated privileges, potentially compromising the confidentiality, integrity, and availability of the affected system.
Despite the “Windows Server Backup” component name, Microsoft’s initial CVE record lists Windows client releases rather than Windows Server editions. That distinction matters for inventory and remediation: administrators should follow the affected-product table, not assume the vulnerability applies only to machines running a Windows Server SKU.
Microsoft identifies the weakness as CWE-59, Improper Link Resolution Before File Access, commonly called link following. This class of vulnerability occurs when a privileged process accesses a file or directory without safely resolving symbolic links, junctions, mount points, or similar filesystem redirections.
In a typical link-following attack, a low-privilege user prepares a filesystem object that appears to point to an ordinary location. When a more privileged service subsequently reads, writes, deletes, or replaces that object, the redirection can cause the operation to target a protected location instead.
Microsoft has not published a full proof of concept or the precise file operation used by CVE-2026-50364. The available description nevertheless indicates that the Windows backup component performs an unsafe path-resolution operation under circumstances an authorized attacker can influence.
The CVSS vector is
That profile makes CVE-2026-50364 unsuitable for initial compromise directly over the internet. Its more realistic role is as part of an attack chain: phishing, credential theft, a malicious application, or another vulnerability first establishes limited access, after which CVE-2026-50364 may provide a path across the local privilege boundary.
The potential result is serious. Microsoft’s scoring assigns high impact to confidentiality, integrity, and availability, indicating that successful exploitation could give the attacker broad control over the affected machine rather than access to a narrowly scoped resource.
Windows 11 version 24H2 and 25H2 receive KB5101650, producing builds 26100.8875 and 26200.8875. Windows 11 version 26H1 receives KB5101649 and moves to build 28000.2525.
The 26H1 version data deserves some care. Microsoft’s CVE record uses “less than 28000.2269” as the affected range, even though build 28000.2269 was released in June through KB5095051 and the CVE itself was published with the July updates. Installing KB5101649 is therefore the clearest remediation path because it contains Microsoft’s current July security fixes and supersedes the earlier build.
Administrators can confirm the installed build by running
A build comparison is more reliable than merely checking whether Windows Update reports that a scan completed. Devices subject to update deferrals, safeguard holds, failed installations, stale WSUS approvals, or incomplete reboots can remain behind the required security baseline.
It does not mean attacks have been confirmed in the wild. The National Vulnerability Database record was still awaiting NIST enrichment following publication, while CISA’s initial assessment recorded no known exploitation and described the issue as not readily automatable.
Those details lower the immediate emergency level compared with an actively exploited zero-day, but they do not make the patch optional. Local privilege-escalation vulnerabilities are valuable to ransomware operators, penetration testers, and malware developers because they can convert an otherwise constrained foothold into control of the operating system.
The requirement for user interaction may reduce the reliability of fully unattended exploitation. Microsoft has not disclosed what that interaction entails, however, so administrators should not assume it requires an unusually conspicuous action or an administrator manually approving the attack.
No detailed workaround has been published that provides the same assurance as installing the cumulative update. Disabling backup-related functionality based solely on the component name could also disrupt recovery processes without fully addressing an undisclosed attack path.
Organizations using Microsoft Intune, Windows Autopatch, Configuration Manager, or WSUS should verify installation and reboot compliance for KB5099539, KB5101650, and KB5101649 as appropriate. Security teams should also watch for suspicious creation or manipulation of symbolic links, junctions, and reparse points around backup-related paths, although Microsoft has not released enough technical detail to define a CVE-specific detection rule.
Testing remains appropriate because the July cumulative updates include changes beyond this vulnerability. Microsoft’s release notes also document networking hardening, Secure Boot work, Remote Desktop security changes, and fixes for earlier compatibility problems, meaning enterprise validation should cover more than the Windows Backup Service alone.
The decisive control is the installed OS build. Once affected Windows 10 machines reach 19044.7548 or 19045.7548, Windows 11 24H2 and 25H2 reach 26100.8875 or 26200.8875, and Windows 11 26H1 reaches 28000.2525 through KB5101649, the July servicing baseline contains Microsoft’s remediation for CVE-2026-50364.
Microsoft’s Security Response Center describes the flaw as improper link resolution before file access in Windows Server Backup. The vulnerability carries a CVSS 3.1 base score of 7.3 and could allow an authorized local attacker to gain elevated privileges, potentially compromising the confidentiality, integrity, and availability of the affected system.
Despite the “Windows Server Backup” component name, Microsoft’s initial CVE record lists Windows client releases rather than Windows Server editions. That distinction matters for inventory and remediation: administrators should follow the affected-product table, not assume the vulnerability applies only to machines running a Windows Server SKU.
July Updates Close the Privilege Boundary
Microsoft identifies the weakness as CWE-59, Improper Link Resolution Before File Access, commonly called link following. This class of vulnerability occurs when a privileged process accesses a file or directory without safely resolving symbolic links, junctions, mount points, or similar filesystem redirections.In a typical link-following attack, a low-privilege user prepares a filesystem object that appears to point to an ordinary location. When a more privileged service subsequently reads, writes, deletes, or replaces that object, the redirection can cause the operation to target a protected location instead.
Microsoft has not published a full proof of concept or the precise file operation used by CVE-2026-50364. The available description nevertheless indicates that the Windows backup component performs an unsafe path-resolution operation under circumstances an authorized attacker can influence.
The CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access, low privileges, and interaction by another user, but Microsoft considers the attack complexity low once those conditions are met.That profile makes CVE-2026-50364 unsuitable for initial compromise directly over the internet. Its more realistic role is as part of an attack chain: phishing, credential theft, a malicious application, or another vulnerability first establishes limited access, after which CVE-2026-50364 may provide a path across the local privilege boundary.
The potential result is serious. Microsoft’s scoring assigns high impact to confidentiality, integrity, and availability, indicating that successful exploitation could give the attacker broad control over the affected machine rather than access to a narrowly scoped resource.
The Affected Builds Span Windows 10 and Windows 11
The initial Microsoft CVE data identifies five affected Windows branches across x86, x64, and Arm64 configurations where applicable. Systems below the following fixed build thresholds should be treated as exposed:- Windows 10 version 21H2 is affected before build 19044.7548.
- Windows 10 version 22H2 is affected before build 19045.7548.
- Windows 11 version 24H2 is affected before build 26100.8875.
- Windows 11 version 25H2 is affected before build 26200.8875.
- Windows 11 version 26H1 is identified in the CVE data with build 28000.2269 as the relevant boundary, while the July cumulative update advances it to build 28000.2525.
Windows 11 version 24H2 and 25H2 receive KB5101650, producing builds 26100.8875 and 26200.8875. Windows 11 version 26H1 receives KB5101649 and moves to build 28000.2525.
The 26H1 version data deserves some care. Microsoft’s CVE record uses “less than 28000.2269” as the affected range, even though build 28000.2269 was released in June through KB5095051 and the CVE itself was published with the July updates. Installing KB5101649 is therefore the clearest remediation path because it contains Microsoft’s current July security fixes and supersedes the earlier build.
Administrators can confirm the installed build by running
winver, checking Settings under System and About, querying endpoint-management inventory, or using PowerShell:Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsBuildNumberA build comparison is more reliable than merely checking whether Windows Update reports that a scan completed. Devices subject to update deferrals, safeguard holds, failed installations, stale WSUS approvals, or incomplete reboots can remain behind the required security baseline.
“Confirmed” Describes Evidence, Not Active Exploitation
The report-confidence metric supplied with Microsoft’s advisory is Confirmed. This means Microsoft, as the affected vendor and assigning CVE authority, has confirmed the vulnerability and considers the technical evidence credible.It does not mean attacks have been confirmed in the wild. The National Vulnerability Database record was still awaiting NIST enrichment following publication, while CISA’s initial assessment recorded no known exploitation and described the issue as not readily automatable.
Those details lower the immediate emergency level compared with an actively exploited zero-day, but they do not make the patch optional. Local privilege-escalation vulnerabilities are valuable to ransomware operators, penetration testers, and malware developers because they can convert an otherwise constrained foothold into control of the operating system.
The requirement for user interaction may reduce the reliability of fully unattended exploitation. Microsoft has not disclosed what that interaction entails, however, so administrators should not assume it requires an unusually conspicuous action or an administrator manually approving the attack.
No detailed workaround has been published that provides the same assurance as installing the cumulative update. Disabling backup-related functionality based solely on the component name could also disrupt recovery processes without fully addressing an undisclosed attack path.
Patch the Endpoints Attackers Would Use as Stepping Stones
CVE-2026-50364 should be handled as an endpoint privilege-boundary problem rather than a remotely exploitable backup-server emergency. Prioritize multi-user systems, administrator workstations, jump hosts, developer machines, virtual desktop pools, and endpoints where untrusted users or software can create filesystem objects.Organizations using Microsoft Intune, Windows Autopatch, Configuration Manager, or WSUS should verify installation and reboot compliance for KB5099539, KB5101650, and KB5101649 as appropriate. Security teams should also watch for suspicious creation or manipulation of symbolic links, junctions, and reparse points around backup-related paths, although Microsoft has not released enough technical detail to define a CVE-specific detection rule.
Testing remains appropriate because the July cumulative updates include changes beyond this vulnerability. Microsoft’s release notes also document networking hardening, Secure Boot work, Remote Desktop security changes, and fixes for earlier compatibility problems, meaning enterprise validation should cover more than the Windows Backup Service alone.
The decisive control is the installed OS build. Once affected Windows 10 machines reach 19044.7548 or 19045.7548, Windows 11 24H2 and 25H2 reach 26100.8875 or 26200.8875, and Windows 11 26H1 reaches 28000.2525 through KB5101649, the July servicing baseline contains Microsoft’s remediation for CVE-2026-50364.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com