CVE-2026-50415: KB5101650 Fixes Windows Media Data Leak

Microsoft has patched CVE-2026-50415, a Windows Media information-disclosure vulnerability that could let an unauthenticated attacker obtain sensitive information over a network. The flaw carries a CVSS 3.1 score of 5.3, but its network reachability and lack of required user interaction make it relevant to administrators even though Microsoft rates its confidentiality impact as low.
The vulnerability was published on July 14, 2026, as part of Microsoft’s monthly security release. Microsoft’s Security Update Guide identifies the report as confirmed, while the National Vulnerability Database lists affected Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025 installations.
For most supported systems, the fix arrives through the normal July cumulative update rather than as a separate Windows Media package.

Cybersecurity operations center displaying critical patch updates, endpoint compliance, and a mitigated vulnerability.Network Reachability Raises the Patch Priority​

CVE-2026-50415 is categorized as CWE-200, or exposure of sensitive information to an unauthorized actor. Microsoft’s short description says the weakness in Windows Media can allow an unauthorized attacker to disclose information over a network, but the company has not published a detailed technical explanation of the vulnerable data, protocol exchange, or Windows Media code path.
The CVSS vector is more revealing: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. It describes an attack that is network-accessible, has low attack complexity, requires no privileges, and does not depend on a user opening a file or clicking a link.
A successful attack affects confidentiality but is not scored as changing data or disrupting system availability. In practical terms, CVE-2026-50415 is not presented as a route to remote code execution, administrator access, or a denial-of-service condition. Its immediate value to an attacker would instead come from whatever information can be extracted and whether that information assists a later stage of an intrusion.
That distinction matters, but it should not turn “Medium” into “ignore.” Information-disclosure bugs can expose memory contents, identifiers, configuration details, or other material that helps an attacker understand a target. Microsoft has not said which of those scenarios applies here, so administrators should avoid assuming that the exposed information is harmless.
The absence of required authentication is also important for threat modeling. Organizations should treat systems that process Windows Media traffic from untrusted or external sources as having a more relevant attack surface than tightly isolated machines, even though Microsoft has not provided enough public detail to map the vulnerability to a specific port or service configuration.

“Confirmed” Does Not Mean Exploited​

The report-confidence field supplied with CVE-2026-50415 is Confirmed. This means Microsoft, as the vendor and CVE Numbering Authority, has confirmed the vulnerability or considers the available technical evidence sufficient to verify it.
It does not mean Microsoft has confirmed attacks in the wild. Report confidence describes certainty that the vulnerability exists and that the technical finding is credible; it is separate from whether exploit code is public, whether attackers are scanning for vulnerable systems, or whether exploitation has been observed.
That separation is especially useful here because the public advisory is sparse. Administrators have a vendor-confirmed weakness, an attack vector, a severity score, and fixed build thresholds, but not a detailed exploit scenario. The information available to defenders—and potentially to attackers—is therefore uneven.
Microsoft’s confirmation should be enough to drive remediation through the standard cumulative-update process. It is not, by itself, a reason to invoke emergency procedures normally reserved for a known exploited zero-day, an unauthenticated remote-code-execution flaw, or a vulnerability added to a government exploitation catalog.

Fixed Builds Span Client and Server Releases​

The NVD record received from Microsoft identifies affected installations by their build number. Systems at or above the listed fixed threshold are no longer included in the vulnerable version range.
For current Windows 11 deployments, July’s KB5101650 raises Windows 11 24H2 to build 26100.8875 and Windows 11 25H2 to build 26200.8875. Both x64 and Arm64 installations are covered.
The broader set of fixed thresholds and associated July packages includes:
  • Windows 11 24H2 is fixed at build 26100.8875 through KB5101650.
  • Windows 11 25H2 is fixed at build 26200.8875 through KB5101650.
  • Windows 10 21H2 is fixed at build 19044.7548 through KB5099539.
  • Windows 10 22H2 is fixed at build 19045.7548 through KB5099539.
  • Windows 10 version 1809 and Windows Server 2019 are fixed at build 17763.9020 through KB5099538.
  • Windows Server 2022 is fixed at build 20348.5386 through KB5099540.
  • Windows Server 2025 is fixed at build 26100.33158 through KB5099536.
The affected record also lists Windows 11 version 26H1 systems below build 28000.2269. That threshold corresponds to KB5095051, released in June 2026, indicating that devices already running build 28000.2269 or later meet Microsoft’s fixed-version boundary even though CVE-2026-50415 was published in July.
Windows Server Core installations are not exempt. Microsoft explicitly includes Server Core variants of Windows Server 2019 and Windows Server 2025, reinforcing that the vulnerable functionality should not be assumed absent merely because the graphical desktop experience is not installed.
Windows 10 requires closer attention because its servicing status now varies by edition and enrollment. Windows 10 22H2 reached the end of general support on October 14, 2025, so ordinary consumer devices need Extended Security Updates to continue receiving fixes such as KB5099539. Windows 10 Enterprise LTSC and IoT Enterprise LTSC releases remain governed by their separate support lifecycles.

Deployment Checks Matter More Than Media Workarounds​

Microsoft has not documented a standalone mitigation or a configuration workaround for CVE-2026-50415. The actionable remedy is to install the applicable cumulative security update and verify that the resulting OS build meets or exceeds the fixed threshold.
Administrators using Microsoft Intune, Windows Update for Business, Configuration Manager, WSUS, or third-party patch platforms should validate deployment by build number rather than relying only on a “success” status. Devices that were offline, held by safeguard policies, excluded from rings, or unable to complete a restart may still report stale Windows Media components.
On Windows 11 24H2 and 25H2, Microsoft has temporarily withheld KB5101650 from a limited number of Dell systems with Intel processors because of a reported compatibility problem involving unexpected shutdowns, reduced performance, increased heat, and battery drain. That safeguard creates a legitimate exception where a device may remain below the CVE’s fixed build while Microsoft and Dell work on a resolution.
Server administrators also need to account for the wider operational effects of July’s cumulative updates. Microsoft’s release notes describe networking hardening around third-party TDI transports, while Windows Server 2022 has a known BitLocker recovery scenario involving an unusual Group Policy configuration with explicit PCR7 validation. Those issues do not negate the CVE-2026-50415 fix, but they justify normal staged testing before broad deployment.
For security teams, the fixed build is the decisive control. Windows 11 24H2 and 25H2 machines should report builds 26100.8875 and 26200.8875 respectively, while server and Windows 10 estates should be checked against their corresponding July thresholds. Until Microsoft publishes deeper technical details, patch compliance—not speculative disabling of media features—remains the most reliable way to close CVE-2026-50415.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top