CVE-2026-50385: Install KB5101650 to Fix Windows 11 Privilege Escalation

CVE-2026-50385 is a high-severity Windows Runtime race-condition vulnerability that can let a locally authenticated attacker elevate privileges, with Windows 11 versions 24H2 and 25H2 and Windows Server 2025 requiring the July 14, 2026 security updates. Microsoft assigned the flaw a CVSS 3.1 base score of 8.8 out of 10, reflecting the potentially complete loss of confidentiality, integrity, and availability after successful exploitation.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the vulnerability affects Windows Runtime through improper synchronization of a shared resource. Microsoft associates it with both CWE-362, a race condition, and CWE-416, a use-after-free condition.
This is not a remote, unauthenticated entry point. An attacker must already have low-level privileges and execute code locally, but exploitation requires no user interaction and Microsoft rates attack complexity as low. That combination makes CVE-2026-50385 particularly relevant to administrators concerned about malware, compromised user accounts, shared systems, and multi-stage intrusions.

Cybersecurity illustration showing a Windows race-condition vulnerability between standard and system users.A Local Foothold Can Become a System-Level Compromise​

Microsoft describes CVE-2026-50385 as concurrent execution using a shared resource without proper synchronization. In practical terms, two operations can interact with the same memory or object in an unsafe order, potentially allowing an attacker to manipulate the resulting state.
The accompanying use-after-free classification suggests that Windows Runtime may continue to access an object after the associated memory has been released. Attackers often attempt to reclaim such memory with controlled data, turning what might otherwise be an application crash into a privilege-escalation primitive.
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. It describes a vulnerability with a local attack vector, low attack complexity, low privileges required, and no dependency on another user clicking a file or approving a prompt.
The scope-change rating is significant. Microsoft’s assessment indicates that exploitation can cross a security boundary and affect resources governed by a different security authority than the vulnerable component. A successful attacker could consequently gain extensive access to data, alter protected resources, or disrupt the affected machine.
Privilege-escalation vulnerabilities rarely form an attacker’s initial route onto a PC. They become dangerous after that first boundary has already failed—for example, through a malicious attachment, stolen credentials, an exposed remote-management tool, or another code-execution vulnerability. CVE-2026-50385 could then reportedly provide the step from an ordinary user context to a much more powerful one.

July’s Builds Define the Safe Baseline​

According to Microsoft’s CVE record, Windows 11 version 24H2 is affected on ARM64 and x64 systems running builds earlier than 26100.8875. Windows 11 version 25H2 is affected on the same architectures below build 26200.8875.
Microsoft delivered those build levels through the July 2026 cumulative update KB5101650. Organizations running either release should verify the installed OS build rather than relying solely on a successful-looking update deployment report, particularly where quality-update deferrals or staged update rings are in use.
Windows Server 2025 and its Server Core installation are affected below build 26100.33158. Microsoft’s July 14 cumulative update, KB5099536, advances Server 2025 to that protected build and includes the relevant security fixes.
The affected-version data currently lists these remediation thresholds:
  • Windows 11 version 24H2 must be updated to build 26100.8875 or later.
  • Windows 11 version 25H2 must be updated to build 26200.8875 or later.
  • Windows 11 version 26H1 must be on build 28000.2269 or later.
  • Windows Server 2025, including Server Core, must be on build 26100.33158 or later.
Windows 11 version 26H1 differs from the other client releases because Microsoft identifies build 28000.2269 as the fixed boundary. That build was delivered in the June 9, 2026 cumulative update KB5095051, so a 26H1 system may already be protected even before installing July’s newer cumulative package. Administrators should still deploy the latest supported cumulative update because Windows servicing packages contain additional security corrections beyond this one CVE.
To check a workstation interactively, run winver and compare the displayed build with the applicable threshold. At scale, administrators can obtain build information through Microsoft Intune, Configuration Manager, Windows Update for Business reporting, PowerShell inventory, or their existing endpoint-management platform.

Exploitation Is Not Reported, but the Technical Impact Is High​

The National Vulnerability Database had not completed its own enrichment of CVE-2026-50385 immediately after publication on July 14. Its record nevertheless reproduces Microsoft’s description, CVSS vector, weakness classifications, and affected build ranges.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data records no known exploitation and describes exploitation as not readily automatable. Its assessment assigns the vulnerability a total technical impact, consistent with Microsoft’s high confidentiality, integrity, and availability ratings.
There is an important distinction between confidence and exploitation status. The “report confidence” language displayed in Microsoft’s advisory explains how strongly the existence and technical details of a vulnerability have been established. Microsoft is the assigning CVE authority and has confirmed the flaw, but confirmation does not mean attacks have been observed in the wild.
At publication, the available records do not identify public proof-of-concept code or active exploitation. Microsoft’s limited public description also omits the precise Windows Runtime component, triggering operation, and privilege level obtained after exploitation. That reduces the immediately available guidance for detection engineering, but it should not be mistaken for evidence that the issue is harmless.
Race conditions can be more difficult to exploit reliably than straightforward memory-corruption bugs because success may depend on timing, thread scheduling, and system state. Microsoft’s low attack-complexity rating, however, signals that specialized circumstances are not expected to be a major obstacle once an attacker has established local access and developed a working technique.

Endpoint Controls Still Matter After Patching​

Installing the cumulative update closes the documented Windows Runtime flaw, but administrators should also consider the role privilege escalation plays in a broader attack chain. Application control, endpoint detection and response, least-privilege account policies, and restrictions on script interpreters can reduce an attacker’s ability to reach or exploit local vulnerabilities.
Security teams should review alerts involving unexpected child processes, access to protected services, token manipulation, security-product tampering, or processes moving from an ordinary user context into SYSTEM-level execution. Microsoft has not published CVE-specific indicators of compromise, so detection must initially rely on behavioral evidence rather than a unique filename, event ID, or network signature.
Servers deserve particular attention because local access may be available to service accounts, application operators, remote desktop users, or software running under constrained identities. Server Core is not exempt: Microsoft explicitly includes the Server Core installation option in the affected Windows Server 2025 products.
For managed environments, the immediate task is to confirm that Windows 11 24H2 and 25H2 devices have reached the KB5101650 build baseline and that Windows Server 2025 has received KB5099536. Systems held behind approval rings, maintenance windows, snapshots, or pending-reboot states remain exposed until the corrected binaries are installed and active.
CVE-2026-50385 does not present the same perimeter risk as a remotely exploitable, pre-authentication vulnerability. Its importance lies in what happens after an attacker gets through the first door: an ordinary local foothold may be enough to challenge a much more consequential Windows security boundary.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top