CVE-2026-50397: July 14 Updates Fix Windows Kernel Elevation Flaw

CVE-2026-50397 is a Windows Kernel use-after-free vulnerability that can let a locally authenticated attacker elevate privileges across supported Windows 10, Windows 11, and Windows Server releases. Microsoft fixed the flaw in its July 14, 2026 security updates, making deployment of the relevant cumulative update the primary defense.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the vulnerability is rated Important by Microsoft with a CVSS 3.1 base score of 7.0. It is not a remote-entry vulnerability, but a successful exploit could give an attacker high-impact control over confidentiality, integrity, and availability on the affected machine.
Administrators should treat CVE-2026-50397 as a post-compromise escalation route: an attacker first needs local access and low-level privileges, but could then use the kernel flaw to obtain substantially greater control.

Cybersecurity illustration of a kernel-memory use-after-free flaw enabling restricted-user to administrator escalation.A Use-After-Free Bug at Windows’ Trust Boundary​

Microsoft identifies CVE-2026-50397 as CWE-416, or a use-after-free vulnerability. This class of memory-safety defect occurs when software continues using a memory object after it has been released, potentially allowing an attacker to influence what occupies that memory when the stale reference is accessed.
The weakness sits in the Windows Kernel, where successful memory corruption carries more serious consequences than a comparable bug in an ordinary user-mode application. Kernel-level privilege escalation can allow an attacker to cross the boundary separating a restricted account or compromised process from highly privileged operating-system functions.
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. That translates into a local attack requiring an existing low-privilege account, with no additional user interaction. Attack complexity is rated high, indicating that reliable exploitation is likely to depend on conditions beyond simply running a malicious executable.
That complexity explains why the base score is 7.0 rather than the 7.8 frequently assigned to straightforward local privilege-escalation flaws. It does not make the vulnerability harmless. Once the necessary conditions are met, Microsoft assesses the potential effect on data confidentiality, system integrity, and availability as high.
CISA’s Stakeholder-Specific Vulnerability Categorization data listed no known exploitation as of July 15 and characterized automated exploitation as unlikely. Its technical-impact assessment was nevertheless “total,” reflecting what successful privilege escalation could permit on an individual endpoint.

Confirmed Does Not Mean Exploited​

The “confidence” language displayed in Microsoft’s advisory describes the CVSS report confidence metric. In this case, the vulnerability is vendor-confirmed: Microsoft has acknowledged the flaw, assigned it CVE-2026-50397, identified the use-after-free root cause, documented affected versions, and shipped corrective updates.
That should not be confused with evidence of active attacks. Neither Microsoft’s available information nor CISA’s assessment indicated that CVE-2026-50397 was being exploited in the wild when the July updates were released. It was also not identified as publicly disclosed before Microsoft’s fix became available.
In practical terms, defenders know the vulnerability exists and know enough about its technical class and affected builds to act. Would-be attackers, however, do not necessarily have a public proof of concept or a reliable exploitation method.
This distinction matters when prioritizing a large Patch Tuesday rollout. BleepingComputer counted 570 vulnerabilities in Microsoft’s July 2026 release, including vulnerabilities already exploited in attacks. CVE-2026-50397 is not in that zero-day category, but its location in the kernel makes it useful as part of a wider attack chain.
A phishing payload, malicious installer, compromised browser process, or abused service account may initially execute with restricted rights. A local kernel flaw can provide the second step needed to disable defenses, access protected information, create privileged accounts, install persistent components, or interfere with the machine’s operation.

The Affected Footprint Spans Old and New Windows Builds​

Microsoft’s affected-product record covers current Windows 11 branches alongside long-serviced Windows 10 and Windows Server installations. Both x64 and Arm64 Windows 11 systems are included, while several older Windows 10 branches also include 32-bit systems.
Affected releases include:
  • Windows 11 versions 24H2 and 25H2 are affected below OS builds 26100.8875 and 26200.8875, respectively.
  • Windows 11 version 26H1 is affected below OS build 28000.2269.
  • Windows 10 version 1607 is affected below build 14393.9339.
  • Windows 10 version 1809 is affected below build 17763.9020.
  • Windows 10 versions 21H2 and 22H2 are affected below builds 19044.7548 and 19045.7548.
  • Windows Server 2012 and 2012 R2, including Server Core, require their July security servicing.
  • Windows Server 2016 is affected below build 14393.9339.
  • Windows Server 2019 is affected below build 17763.9020.
  • Windows Server 2022 is affected below build 20348.5386.
  • Windows Server 2025 is affected below build 26100.33158.
For mainstream Windows 11 24H2 and 25H2 PCs, the fix arrives in KB5101650, which moves the systems to builds 26100.8875 and 26200.8875. Windows Server 2022 receives build 20348.5386 through KB5099540, while Windows Server 2016 and Windows 10 version 1607 receive build 14393.9339 through KB5099535.
Checking the installed OS build is therefore a more dependable validation step than merely confirming that Windows Update ran. Administrators can inspect winver, inventory data from Microsoft Intune or Configuration Manager, or the output of Get-ComputerInfo and compare it with Microsoft’s fixed-build thresholds.
Legacy systems require particular attention. Windows Server 2012 and 2012 R2 are no longer in ordinary support and depend on applicable Extended Security Updates, while Windows 10 21H2 and 22H2 coverage varies by edition and servicing program. A machine appearing in Microsoft’s affected-product data does not guarantee that every organization is entitled to receive its update without the necessary support arrangement.

Patch Testing Has One Notable Hardware Complication​

The fix is delivered through cumulative Windows servicing rather than as a standalone mitigation for the kernel component. There is no configuration switch that fully substitutes for installing the July update.
Microsoft has temporarily withheld KB5101650 from a limited number of Dell PCs with Intel processors after Dell reported an incompatibility that could cause unexpected shutdowns, degraded performance, increased heat, and battery drain. Microsoft said it was working with Dell on a resolution, so administrators managing affected hardware should not bypass a safeguard hold simply to force the package onto those devices.
That exception does not change the broader deployment priority. Organizations should begin with exposed workstations, shared systems, administrator endpoints, jump hosts, development machines, and servers on which untrusted or lower-privilege users can run code. Those are the environments where a local privilege-escalation flaw provides the most immediate value to an intruder.
Endpoint controls can reduce the likelihood of an attacker reaching the exploitation stage. Application control, least-privilege account design, Microsoft Defender Attack Surface Reduction rules, credential protection, and restrictions on unsigned or untrusted executables all raise the cost of establishing the initial local foothold. None of them repairs the stale kernel-memory reference.
CVE-2026-50397 is a confirmed, high-impact kernel defect without evidence of active exploitation at publication time. The operational target is concrete: bring affected Windows installations to Microsoft’s July 14, 2026 fixed builds, while respecting the temporary safeguard affecting certain Dell Intel systems and verifying completion through build-level inventory rather than update status alone.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top