CVE-2026-50372: Install July Updates to Stop Windows EoP

CVE-2026-50372, a Windows Redirected Drive Buffering elevation-of-privilege vulnerability, was addressed in Microsoft’s July 14, 2026 security updates across supported Windows 11, Windows 10, and Windows Server releases. The flaw carries a CVSS 3.1 score of 7.0 and could let a low-privileged local attacker gain extensive control over a vulnerable machine.
Microsoft’s Security Response Center describes the underlying defect as a buffer over-read in Windows Redirected Drive Buffering. The National Vulnerability Database, which received the record from Microsoft on July 14, classifies it under both CWE-126 for buffer over-read and CWE-122 for heap-based buffer overflow.
The immediate action is straightforward: install the July 2026 cumulative security update applicable to each Windows device. This is not a network-borne, no-authentication compromise, but it is relevant to administrators because privilege-escalation bugs are frequently used after an attacker obtains an initial foothold through phishing, malicious software, a vulnerable application, or stolen credentials.

Cybersecurity infographic showing a Windows RDP buffer over-read vulnerability, server impact, and July 2026 patching.Local Access Narrows the Door, Not the Damage​

Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access, low-level privileges, and a comparatively complex attack sequence. No additional user interaction is required once those conditions are met.
Those requirements explain why the score stops at 7.0 despite Microsoft assigning high potential impacts to confidentiality, integrity, and availability. An attacker cannot simply send an unsolicited packet across the internet and take over a Windows PC through CVE-2026-50372.
The consequences after successful exploitation are considerably more serious. Microsoft’s vector indicates that an attacker could potentially access protected data, alter system resources, and disrupt the affected machine. The scope remains unchanged, meaning exploitation stays within the security authority managed by the vulnerable Windows component rather than crossing into another security domain.
This makes CVE-2026-50372 a post-compromise accelerator. Malware running as an ordinary user is constrained by Windows access controls, User Account Control, service permissions, and protected system locations. A working elevation-of-privilege exploit can help it move beyond those boundaries, tamper with security settings, establish deeper persistence, or operate with system-level authority.
The high attack-complexity rating is an important mitigating factor, but it should not be treated as a permanent barrier. Complexity measures the conditions needed to make an exploit work reliably; it does not mean exploitation is impossible. Public research or attacker experimentation can reduce that practical difficulty over time.
Microsoft has not publicly detailed the precise memory layout, trigger sequence, or redirected-drive operation needed to exploit the flaw. That limited technical disclosure reduces immediate copy-and-paste exploitability, while leaving defenders with little meaningful mitigation beyond applying the corrected Windows builds.

The Fault Reaches Across the Windows Fleet​

The affected-product record is broad. It covers Windows 11 versions 24H2, 25H2, and 26H1, along with Windows 10 versions 1607, 1809, 21H2, and 22H2. Several of those Windows 10 releases remain relevant through specialized servicing channels even though they are no longer ordinary consumer configurations.
On the server side, Microsoft lists Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025. Server Core installations are explicitly affected where Microsoft provides that installation option.
The breadth suggests that the vulnerable code is shared across multiple generations of Windows rather than being introduced by a recent Windows 11 feature. It also means administrators should not limit detection and remediation work to interactive Remote Desktop hosts simply because the component’s name references redirected drives.
Microsoft’s affected-version data identifies these corrected build thresholds:
  • Windows 11 24H2 should be updated to OS Build 26100.8875 or later.
  • Windows 11 25H2 should be updated to OS Build 26200.8875 or later.
  • Windows 10 21H2 should be updated to OS Build 19044.7548 or later.
  • Windows 10 22H2 should be updated to OS Build 19045.7548 or later.
  • Windows Server 2016 should be updated to OS Build 14393.9339 or later.
  • Windows Server 2019 should be updated to OS Build 17763.9020 or later.
  • Windows Server 2022 should be updated to OS Build 20348.5386 or later.
  • Windows Server 2025 should be updated to OS Build 26100.33158 or later.
Windows 11 24H2 and 25H2 receive the fix through KB5101650, which advances the operating systems to builds 26100.8875 and 26200.8875 respectively. Microsoft says it is not currently aware of general issues with that cumulative update.
Windows Server 2022 receives build 20348.5386 through KB5099540. That update has a documented BitLocker caveat for a limited set of managed systems using an unrecommended PCR7 Group Policy configuration, so administrators should review Microsoft’s deployment guidance rather than broadly delaying the entire security rollout.
Windows 11 26H1 is serviced by KB5101649, bringing it to build 28000.2525. Microsoft’s CVE data lists builds earlier than 28000.2269 as affected, making current July-patched 26H1 systems newer than the stated corrected threshold.

Redirected Drives Put Session Hosts in Focus​

Windows drive redirection is most visible in Remote Desktop environments, where a user can expose a client-side disk or folder inside a remote Windows session. Redirected resources commonly appear under names such as “C on CLIENT” and allow files to move between the endpoint and session host without a conventional network share.
That does not establish the exact exploit path for CVE-2026-50372; Microsoft has not published enough technical detail to make that claim. It does, however, make Remote Desktop Session Hosts, jump servers, virtual desktop infrastructure, and shared administrative systems sensible priorities during deployment.
These systems combine multiple users, redirected local resources, long-running sessions, and access to sensitive corporate services. Even when an elevation flaw demands high complexity, a successful attack against a shared host can carry more operational value than the same exploit on an isolated workstation.
Disabling drive redirection may reduce exposure to functionality associated with the affected subsystem, but Microsoft has not presented it as a complete workaround for CVE-2026-50372. Administrators should therefore avoid substituting an RDP policy change for the security update. If patching must be staged, restricting drive redirection for untrusted or lower-assurance sessions can be considered a supplementary control.
Endpoint detection teams should also continue watching for the behavior that follows privilege escalation rather than relying on a CVE-specific signature. Unexpected service creation, new scheduled tasks, security-tool interference, access to protected credential material, and processes crossing abruptly from a standard-user context into SYSTEM remain useful signals.

Confidence Is High Even While Technical Detail Is Thin​

The confidence language accompanying Microsoft’s advisory describes how strongly the vulnerability’s existence and technical characterization have been established. In this case, the finding is vendor-confirmed: Microsoft assigned the CVE, supplied the affected-product ranges, scored the issue, identified the memory-safety weakness, and shipped corrected builds.
That is different from knowing every exploit-development detail. Confidence in the vulnerability is not the same as confidence that exploitation is easy or imminent. Microsoft’s own scoring says the opposite on the latter point by assigning high attack complexity.
The National Vulnerability Database was still awaiting its independent enrichment when the record was published. Its displayed 7.0 score and vector came from Microsoft in its role as the CVE Numbering Authority, rather than from a separate NIST assessment.
CVE-2026-50372 was also not identified in initial Patch Tuesday reporting as one of July’s actively exploited or publicly disclosed zero-days. BleepingComputer reported that Microsoft’s unusually large July release addressed hundreds of vulnerabilities, including separate flaws already exploited in attacks. That context lowers the immediate priority of CVE-2026-50372 relative to confirmed zero-days, but it does not justify leaving the update out of the normal security cycle.
For most environments, the correct response is to verify that July 14 cumulative updates reached both endpoints and servers, paying particular attention to RDS and VDI infrastructure. The remaining uncertainty is not whether the bug exists; it is how quickly researchers or attackers can turn Microsoft’s confirmed buffer over-read into a dependable privilege-escalation chain.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top