CVE-2026-50399: Patch Windows Kernel Privilege Escalation

CVE-2026-50399, a newly patched Windows Kernel elevation-of-privilege vulnerability, allows a locally authenticated attacker to gain higher privileges through an out-of-bounds memory read. Microsoft fixed the Important-rated flaw in its July 14, 2026 security updates for supported Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025 systems.
Detailed in Microsoft’s Security Update Guide and published during the July 2026 Patch Tuesday release, CVE-2026-50399 carries a CVSS 3.1 base score of 7.8 out of 10. Microsoft describes the underlying weakness as CWE-125, an out-of-bounds read in the Windows Kernel.
The immediate action is straightforward: administrators should deploy the July cumulative updates and verify that endpoints have reached the corrected OS build for their Windows release. Microsoft has not identified CVE-2026-50399 as publicly disclosed or exploited in the wild, and its exploitability assessment says exploitation is less likely, but the potential result is still a complete compromise of confidentiality, integrity, and availability on an affected machine.

Cybersecurity graphic showing Windows protection, privilege layers, servers, and kernel memory with out-of-bounds blocks.A Local Foothold Could Become a System Compromise​

CVE-2026-50399 is not a remote, unauthenticated entry point. Microsoft’s CVSS vector specifies a local attack vector, low attack complexity, low privileges required, and no user interaction.
That means an attacker must already be able to execute code or otherwise operate under an authorized low-privilege account on the target. Successful exploitation could then cross a security boundary and provide elevated rights, potentially turning an ordinary user-level compromise into control over the machine.
This distinction matters when prioritizing the update. A local elevation-of-privilege flaw is unlikely to be the first step in an intrusion, but it can be an effective second step after phishing, credential theft, malicious software installation, exploitation of a browser or document parser, or abuse of an exposed remote-access service.
The CVSS vector assigns high impact to confidentiality, integrity, and availability. In practical terms, elevated kernel-level access may enable an attacker to inspect protected data, modify system state, interfere with security products, create privileged persistence, or damage the operating system. Microsoft has not publicly documented the precise kernel path involved, so those outcomes describe the security boundary at risk rather than a confirmed exploit sequence.
The vulnerability’s CWE-125 classification indicates that kernel code can read memory beyond the intended boundary of a buffer. Out-of-bounds reads are commonly associated with crashes and information disclosure, but in this case Microsoft has determined that the condition can support elevation of privilege.

“Confirmed” Does Not Mean “Actively Exploited”​

The Microsoft advisory marks the report-confidence metric as confirmed. That terminology can be misread as evidence that attackers are already exploiting the flaw, but it addresses a different question.
Report confidence reflects Microsoft’s certainty that the vulnerability exists and that the available technical findings are credible. A confirmed rating can mean the vendor has reproduced the problem, reviewed detailed research, or otherwise validated the underlying security defect.
It does not mean public exploit code exists, exploitation has been detected, or CVE-2026-50399 is a zero-day. Microsoft’s July security-release data, also compiled by BleepingComputer, lists the vulnerability as not publicly disclosed and not known to be exploited. Microsoft currently considers exploitation less likely.
That assessment lowers the immediate emergency level, but it is not a reason to leave the update indefinitely queued. Once cumulative updates are available, attackers can compare patched and unpatched Windows binaries—a process known as patch diffing—to identify the changed code and develop a clearer understanding of the vulnerability.
The limited public technical detail currently works in defenders’ favor. That advantage can shrink as researchers and exploit developers analyze the July binaries.

The Fixed Builds Define the Deployment Target​

Microsoft’s affected-version data identifies the first corrected OS builds. Systems below these build numbers remain exposed:
  • Windows 10 version 21H2 must reach OS build 19044.7548.
  • Windows 10 version 22H2 must reach OS build 19045.7548.
  • Windows 11 version 24H2 must reach OS build 26100.8875.
  • Windows 11 version 25H2 must reach OS build 26200.8875.
  • Windows 11 version 26H1 must be at or above build 28000.2269.
  • Windows Server 2022 must reach OS build 20348.5386.
  • Windows Server 2025, including Server Core, must reach OS build 26100.33158.
For Windows 11 versions 24H2 and 25H2, the July fix is delivered through KB5101650. Microsoft lists the resulting builds as 26100.8875 and 26200.8875 respectively, and says it is not currently aware of any issues with that cumulative update.
Windows 10 version 21H2 and 22H2 receive the corrected builds through KB5099539. Windows Server 2022 receives build 20348.5386 through KB5099540, while Windows Server 2025 reaches build 26100.33158 through KB5099536.
The Windows 10 entries need additional attention because general support status now affects update eligibility. Windows 10 version 22H2 reached the end of ordinary support on October 14, 2025, while version 21H2 ended support earlier for most editions. Devices must be covered by an applicable Extended Security Updates program or run a still-supported LTSC edition to continue receiving fixes.
An unsupported Windows 10 installation will not become secure merely because Microsoft has produced a patch for the underlying code. Administrators should confirm both the installed build and the device’s entitlement to receive current security updates.

Patch Validation Matters More Than the CVE Count​

CVE-2026-50399 arrived in an unusually large July release. BleepingComputer counted 570 Microsoft vulnerabilities addressed during the month, including hundreds of elevation-of-privilege issues and three zero-days elsewhere in the product portfolio.
That volume can make individual vulnerabilities disappear into scanner reports. For CVE-2026-50399, the useful validation point is the OS build rather than the mere presence of a July update entry in Windows Update history.
Administrators can check a device with winver, PowerShell inventory, Microsoft Intune, Configuration Manager, Windows Update for Business reporting, or their endpoint-management platform. Server teams should confirm that Windows Server 2022 and Windows Server 2025 machines have completed the required restart, because staging a cumulative update without rebooting does not necessarily activate all replaced kernel components.
Microsoft’s Windows Server 2022 release notes also identify a limited BitLocker recovery risk associated with a specific, unrecommended Group Policy configuration involving PCR7. Enterprises using explicitly configured TPM platform-validation profiles should review that known issue and make sure recovery keys are available before broad deployment. That servicing concern does not remove the need to patch CVE-2026-50399, but it may justify a controlled rollout through test rings.
Security teams should treat any future appearance of public proof-of-concept code, exploitation telemetry, or inclusion in the CISA Known Exploited Vulnerabilities catalog as a trigger to accelerate remaining deployments. As of July 15, 2026, none of those escalation signals has been reported for this CVE.
For now, CVE-2026-50399 is a confirmed, high-impact local privilege-escalation flaw with a vendor fix and no known active exploitation. The practical dividing line is therefore clear: Windows 11 systems below builds 26100.8875 or 26200.8875, Windows Server systems below their July targets, and eligible Windows 10 machines below builds 19044.7548 or 19045.7548 should remain in the active patch queue until the corrected build is installed and verified.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top