CVE-2026-50425: Install July Updates to Block Windows Privilege Escalation

Microsoft has patched CVE-2026-50425, a high-severity Windows privilege-escalation vulnerability that could let an attacker with an existing local account obtain greater control over a compromised PC or server. The fix is included in the July 14, 2026 security updates for Windows 10, Windows 11 24H2 and 25H2, and Windows Server 2025.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the flaw carries a CVSS 3.1 base score of 7.8 out of 10 and an “Important” severity rating. Microsoft says it was neither publicly disclosed nor known to be exploited when the advisory was released, and assesses future exploitation as less likely.
That assessment lowers the immediate alarm level, but it does not make the vulnerability harmless. CVE-2026-50425 requires local access and low privileges rather than an unauthenticated network connection, placing it squarely in the category of flaws attackers may use after establishing an initial foothold.

Cybersecurity dashboard showing a warning shield protecting computers, servers, and network infrastructure.A Use-After-Free Bug Opens the Privilege Boundary​

CVE-2026-50425 is a use-after-free vulnerability, identified as CWE-416, in the Windows Internal System User Profile component. This class of memory-safety defect occurs when software continues to reference memory after that memory has been released, potentially allowing an attacker to manipulate what occupies the freed space.
Microsoft’s public description remains brief: an authorized attacker can exploit the flaw locally to elevate privileges. The company has not published exploit code, a detailed execution sequence, or information identifying which user-profile operation triggers the unsafe memory access.
The CVSS vector provides a clearer picture of the attack conditions. It identifies a local attack vector, low attack complexity, low privileges required, and no user interaction. A successful exploit can produce high impacts to confidentiality, integrity, and availability, while the security scope remains unchanged.
In practical terms, an attacker cannot trigger this directly from the internet solely through the vulnerable component. The attacker must first gain the ability to run code or commands under a low-privilege account on the target machine. That access might come from malicious software, stolen credentials, an exposed remote-management channel, or exploitation of another vulnerability.
Once that foothold exists, a reliable elevation-of-privilege exploit could potentially help the attacker escape the restrictions imposed on the compromised account. The exact privileges obtained are not specified in Microsoft’s public advisory, so claims that the flaw definitively grants SYSTEM access would go beyond the available evidence.
This distinction matters for incident response. CVE-2026-50425 is more naturally treated as a post-compromise escalation path than as an initial-entry vulnerability, but post-compromise flaws remain valuable to ransomware operators, credential thieves, and interactive intruders attempting to disable defenses or move deeper into an environment.

The Fixed Builds Define the Compliance Target​

Microsoft’s affected-version data provides concrete build thresholds that administrators can use to verify remediation. Devices running builds below the listed security levels should be treated as vulnerable unless Microsoft supplies different product-specific guidance.
The applicable servicing targets are:
  • Windows 10 version 21H2 must reach OS Build 19044.7548 through KB5099539.
  • Windows 10 version 22H2 must reach OS Build 19045.7548 through KB5099539.
  • Windows 11 version 24H2 must reach OS Build 26100.8875 through KB5101650.
  • Windows 11 version 25H2 must reach OS Build 26200.8875 through KB5101650.
  • Windows 11 version 26H1 should install the current July update, KB5101649, which moves the platform to OS Build 28000.2525.
  • Windows Server 2025, including Server Core, must reach OS Build 26100.33158 through KB5099536.
The structured CVE record lists Windows 11 26H1 builds earlier than 28000.2269 as affected. That threshold corresponds to the June 9 security level, while Microsoft’s current July cumulative update is KB5101649 and OS Build 28000.2525. Administrators should deploy the latest cumulative package rather than deliberately stopping at the older minimum build.
Windows 10 requires additional attention because ordinary support for version 22H2 ended on October 14, 2025. Organizations still operating Windows 10 need an applicable servicing entitlement, such as Extended Security Updates or a supported LTSC edition, to continue receiving security fixes. Seeing Windows 10 in the affected-products table does not mean every out-of-support installation will automatically receive KB5099539.
As with other cumulative Windows updates, installing the current package includes previous security corrections for that servicing branch. Administrators therefore do not need to locate a separate CVE-2026-50425 hotfix.
Build verification is preferable to checking only whether an update deployment policy was assigned. On an endpoint, winver provides a quick interactive check, while managed environments can query OS build information through PowerShell, Microsoft Intune, Configuration Manager, Windows Update for Business reporting, or their endpoint-detection platform.

Local Access Changes the Priority, Not the Need to Patch​

CVE-2026-50425 is not a zero-click remote-code-execution bug. Its local attack vector and low-privilege prerequisite give defenders an opportunity to prioritize it behind actively exploited vulnerabilities and remotely reachable flaws, particularly during a crowded Patch Tuesday cycle.
Microsoft also reported no public disclosure or observed exploitation at publication. The July Patch Tuesday summary tracked by BleepingComputer similarly lists the vulnerability as not exploited, not publicly disclosed, and “Exploitation Less Likely.”
Those labels describe what Microsoft knew on July 14, not what will remain true indefinitely. Privilege-escalation vulnerabilities can become more useful after researchers compare patched and unpatched binaries, a process commonly called patch diffing. Microsoft has not said that such analysis has produced an exploit for CVE-2026-50425, but withholding unnecessary technical detail initially reduces the information immediately available to would-be attackers.
Workstations used by developers, administrators, help-desk personnel, and other users with access to sensitive systems deserve particular attention. A low-privilege compromise on one of these devices can be more consequential than the same compromise on a tightly restricted kiosk because the attacker may find valuable credentials, management tools, tokens, or network access after elevating privileges.
Multi-user systems also have a different exposure profile. Windows Server 2025 machines providing Remote Desktop Session Host, application hosting, jump-box, or shared administration functions may permit more users to execute local code than a narrowly configured infrastructure server. Server Core is not exempt; Microsoft explicitly identifies it as affected.
Application control, least-privilege policies, Credential Guard, Microsoft Defender for Endpoint, and attack-surface-reduction rules can constrain the routes attackers use to establish the initial foothold. They should be viewed as complementary controls, not substitutes for correcting the memory-safety defect.

Deployment Should Focus on Builds and Regressions​

For consumer systems, the July cumulative update is delivered through Windows Update. Enterprise administrators can deploy the packages through Windows Update for Business, Windows Server Update Services, Microsoft Intune, Configuration Manager, or the Microsoft Update Catalog, depending on their servicing design.
A sensible rollout starts with a representative validation ring covering security agents, profile-management products, virtual desktop tooling, identity software, and applications that interact heavily with user sessions. The vulnerable component’s name suggests a relationship to internal user-profile handling, but Microsoft has not documented the precise affected operation, so administrators should avoid inventing overly narrow exposure tests.
The July packages contain many changes beyond CVE-2026-50425. Windows 11 KB5101650 and Windows Server 2025 KB5099536 include cumulative security and quality fixes, while the Windows 11 26H1 package also carries platform changes inherited from June’s updates. Testing must therefore evaluate the complete cumulative package rather than assuming any observed behavior is caused by this single CVE correction.
Organizations should verify successful installation after the maintenance window and investigate machines that remain below the fixed build. Common causes include safeguard holds, update scan failures, stale WSUS approvals, insufficient disk space, pending restarts, unsupported editions, and devices that have stopped reporting to management.
Security teams should also continue hunting for the precursor activity that CVE-2026-50425 would require: execution under unexpected local accounts, suspicious process launches from writable profile directories, credential misuse, security-control tampering, and unexplained attempts to access privileged resources. Microsoft has not published CVE-specific indicators of compromise, so detection must initially focus on broader post-exploitation behavior.
The actionable line is straightforward: Windows 11 24H2 and 25H2 should reach KB5101650, Windows Server 2025 should reach KB5099536, eligible Windows 10 systems should reach KB5099539, and Windows 11 26H1 should move to KB5101649. Until those builds are installed, a low-privilege foothold may still leave an attacker with a path toward much greater control.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: windowsforum.com
 

Back
Top