CVE-2026-50377: July 2026 Updates Fix Windows Kernel Data Exposure

CVE-2026-50377, a Windows Kernel elevation-of-privilege vulnerability, is fixed in Microsoft’s July 14, 2026 security updates for affected Windows 10, Windows 11, and Windows Server installations. The flaw requires local access and existing credentials, but successful exploitation could expose data normally protected from the attacker.
Detailed in Microsoft’s Security Update Guide and newly published in the National Vulnerability Database, CVE-2026-50377 is rated Important by Microsoft and carries a CVSS 3.1 base score of 5.5, or Medium. Administrators should deploy the corresponding July cumulative update rather than treating that relatively modest score as a reason to leave kernel code unpatched.

Cybersecurity dashboard showing protected Windows systems, devices, and a red threat warning.A Kernel Read That Crosses a Security Boundary​

Microsoft describes CVE-2026-50377 as an out-of-bounds read in the Windows Kernel, categorized under CWE-125. This class of memory-safety error occurs when software reads beyond the boundary of an intended buffer or data structure, potentially exposing information from adjacent memory.
The published CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, the attacker must already be able to run code locally with low privileges, exploitation is considered low complexity, and no separate user interaction is required.
The confidentiality impact is rated High, while integrity and availability impacts are rated None. That distinction matters: the currently documented outcome is unauthorized access to sensitive information, not arbitrary kernel memory modification, system corruption, or a remotely triggered crash.
Microsoft nevertheless classifies the issue as an elevation-of-privilege vulnerability. That framing indicates the out-of-bounds read can let an authorized but restricted user cross a privilege boundary and obtain information unavailable at their current access level.
This is not a drive-by browser attack or an unauthenticated network exploit. It is more relevant after an attacker has gained an initial foothold through stolen credentials, malicious software, a compromised application, or another vulnerability and is attempting to expand access on the machine.

July’s Cumulative Updates Carry the Fix​

The CVE record identifies several supported and extended-support Windows branches as affected. Microsoft’s version thresholds show that systems below the July 2026 build for their branch remain vulnerable.
Key client update targets include:
  • Windows 11 versions 24H2 and 25H2 receive KB5101650, taking the operating system to builds 26100.8875 and 26200.8875 respectively.
  • Windows 11 version 26H1 receives KB5101649 and moves to build 28000.2525.
  • Windows 10 versions 21H2 and 22H2 receive KB5099539, producing builds 19044.7548 and 19045.7548.
  • Windows 10 version 1809 and Windows Server 2019 receive KB5099538, moving to build 17763.9020.
  • Windows 10 version 1607 and Windows Server 2016 receive KB5099535, moving to build 14393.9339.
The affected-product record includes x64, Arm64, and 32-bit systems where those architectures remain applicable. Server Core installations are also represented in Microsoft’s affected-product data, so the lack of a desktop shell does not remove exposure to this kernel defect.
Because these are cumulative updates, administrators do not need a separate CVE-specific package. A machine at or above the corrected build for its Windows servicing branch contains the fix, while a lower build should be treated as unpatched unless Microsoft subsequently issues a superseding or out-of-band package.
Windows 10 deserves particular attention. General support for Windows 10 version 22H2 ended on October 14, 2025, so ordinary consumer and business devices require enrollment in the Extended Security Updates program to receive KB5099539. Enterprise LTSC and IoT Enterprise LTSC editions follow their own support timelines.
Administrators can check the current build with winver, PowerShell, endpoint-management inventory, or their vulnerability scanner. The verification should use the full revision number—such as 26100.8875—not merely the feature release label “Windows 11 24H2.”

The CVSS Score Does Not Tell the Whole Deployment Story​

A 5.5 score places CVE-2026-50377 well below the headline-grabbing critical vulnerabilities that permit unauthenticated remote code execution. Its prerequisites sharply constrain the attack path: the adversary needs local access, low-level privileges, and a way to execute exploit code on the target.
That does not make the issue harmless. Kernel vulnerabilities are valuable components in exploit chains because attackers frequently begin with restricted execution and then look for a second flaw that defeats operating-system isolation.
The confidentiality rating suggests the immediate risk is disclosure of kernel or process memory. Depending on what is exposed, such information could potentially reveal sensitive data or help an attacker defeat mitigations needed for a later exploitation stage, although Microsoft has not published technical detail demonstrating a specific chain.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data reports no observed exploitation and says the vulnerability is not readily automatable. As of July 15, CVE-2026-50377 is not presented as an actively exploited zero-day, and the public record does not contain proof-of-concept code or detailed exploitation instructions.
That combination supports normal expedited patching rather than emergency isolation of every affected machine. Internet-facing servers may not be directly reachable through this CVE, but servers that host multiple users, Remote Desktop sessions, build agents, virtual desktops, or third-party workloads have more opportunities for a low-privileged process to reach the vulnerable kernel path.
Security teams should also avoid confusing Microsoft’s Important severity rating with the NVD’s current enrichment status. The NVD entry was still awaiting its own analysis shortly after publication and was displaying Microsoft’s CNA-supplied score and vector. That is a data-processing state, not evidence that the vulnerability is disputed or unconfirmed.

Patch Validation Matters More Than a Scanner Banner​

For managed environments, the first job is to establish whether July’s cumulative update actually reached each affected servicing branch. A vulnerability scanner that detects only “Windows Kernel” without evaluating the installed build can generate stale findings after an update or overlook systems stranded on unsupported releases.
A sensible validation sequence is to inventory the Windows version, architecture, edition, installed cumulative update, and complete OS build. Devices should then be compared against the corrected build threshold for that exact branch.
Extra scrutiny belongs on systems where local code execution is expected or widely delegated. Shared Remote Desktop Session Hosts, developer workstations, jump servers, kiosks running third-party software, and machines permitting untrusted scripts all provide more plausible starting points than tightly controlled single-purpose servers.
Existing controls remain useful while an organization completes testing. Removing unnecessary local administrator membership, enforcing application control, restricting interactive server logons, monitoring unusual process behavior, and keeping Microsoft Defender or another endpoint detection platform current can limit the initial foothold needed to reach the flaw. None of those measures replaces the kernel update.
Deployment teams should test the July cumulative packages against business-critical drivers, endpoint agents, VPN clients, and other software that interacts closely with Windows. Microsoft currently lists no general known issue for KB5099538 or KB5099539, while KB5101650 has a separate availability restriction for a limited number of Dell devices with Intel processors because Dell reported potential shutdown, performance, heat, and battery problems.
That Dell safeguard creates a practical exception for some Windows 11 24H2 and 25H2 fleets: the update may not be offered until compatibility is resolved. Administrators responsible for affected hardware should track Microsoft and Dell guidance rather than bypassing the safeguard merely to satisfy a CVE dashboard.
CVE-2026-50377 is therefore a straightforward patching case with a familiar enterprise wrinkle. The exploit requires an existing foothold and there is no reported active abuse, but the vulnerable code sits in the Windows Kernel and the attack requires no additional user interaction once local execution is obtained. The concrete target is the July 14, 2026 cumulative build for each supported Windows branch; any affected system below that threshold remains part of the privilege-escalation attack surface.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top