CVE-2026-50429, a Windows Kernel information-disclosure vulnerability patched on July 14, 2026, can reportedly be exploited remotely without credentials or user interaction. Microsoft rates the flaw Important, while its CVSS 3.1 score of 8.2 places it firmly in the high-severity range and makes it a priority for Windows Server administrators.
Detailed in Microsoft’s Security Update Guide and subsequently catalogued by the National Vulnerability Database, the flaw is an out-of-bounds read in the Windows kernel. A successful attacker could extract information over a network and cause a limited availability impact, although Microsoft has not linked the vulnerability to code execution, privilege escalation, or data modification.
The vulnerability was not publicly disclosed before the update, and Microsoft reported no evidence that it was being exploited in attacks when the advisory was published. That distinction matters, but the combination of network reachability, low attack complexity, and no authentication requirement leaves little reason to postpone July’s cumulative Windows updates.
Microsoft’s CVSS vector for CVE-2026-50429 is
The principal impact is confidentiality. Microsoft assigns a high confidentiality impact, no integrity impact, and a low availability impact. That means the documented outcome is disclosure of information from memory rather than the direct alteration of files, installation of malware, or takeover of the affected machine.
An out-of-bounds read occurs when software reads beyond the intended boundary of a memory buffer. Depending on what occupies the adjacent memory, such a mistake can expose data that should never have been returned to the requester. Microsoft has not publicly described the exact kernel path, network protocol, packet structure, or type of information that could be recovered through CVE-2026-50429.
That lack of exploit-level detail limits immediate defensive options. Administrators cannot reliably block a documented port, disable a named service, or deploy a narrowly tailored intrusion-detection signature based on the currently public advisory. The security update is therefore the primary remedy.
The “scope unchanged” portion of the CVSS vector indicates that exploitation remains within the security authority of the vulnerable Windows component. It does not reduce the sensitivity of a kernel memory disclosure, but it helps distinguish this flaw from vulnerabilities that cross security boundaries into another component or service.
That confidence should not be confused with evidence of attacks. Microsoft’s exploitability assessment, as reproduced in the SANS Internet Storm Center’s July 2026 Patch Tuesday tracking, showed no public disclosure and no known exploitation at release. The exploit-code maturity value was also listed as unproven.
Those two findings can coexist: Microsoft can conclusively confirm that the vulnerable code exists while having no evidence that anyone outside the reporting and remediation process has built a working exploit. The publication of a patch can nevertheless accelerate reverse engineering because researchers and attackers can compare pre-update and post-update kernel binaries to locate the corrected code.
This is why the CVSS base score deserves more operational weight than the absence of known exploitation. The vector describes a potentially remote, unauthenticated path with low attack complexity. Even if exploitation is not yet demonstrated publicly, those properties are attractive to attackers and justify prompt deployment on exposed or sensitive systems.
Microsoft’s official remediation also raises the temporal score’s remediation level to an official fix. There is no published workaround or mitigation that provides an equivalent substitute for installing the relevant cumulative update.
The server footprint is particularly broad. Microsoft identifies Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 as affected, including Server Core installations where applicable. That makes CVE-2026-50429 relevant to long-lived infrastructure as well as current Windows 11 endpoints.
The corrected build thresholds in Microsoft’s CVE data include:
Windows Server 2022 receives the fix through KB5099540, which advances the operating system to build 20348.5386. Other supported releases receive the correction through their corresponding July 14 cumulative security updates. Because Windows cumulative updates supersede previous packages, installing the latest applicable update should include the CVE-2026-50429 fix without requiring a separate kernel package.
Legacy Windows 10 entries require some context. Versions such as Windows 10 1607, 1809, and 21H2 are generally relevant only where a supported servicing channel, edition, or Extended Security Updates arrangement remains in place. Unsupported machines do not become safe simply because the same code branch received a correction for supported customers.
A release of that size creates a prioritization problem for enterprise IT. Vulnerability scanners may produce hundreds of new findings at once, while change-control teams still have finite testing capacity. CVE-2026-50429 stands out because its CVSS vector does not depend on local access, an authenticated account, or user action.
Server teams should therefore prioritize internet-facing Windows hosts, systems accepting connections from less-trusted network segments, and machines containing high-value credentials or business data. Domain controllers, application servers, remote-access infrastructure, and multi-tenant Windows workloads merit early testing even though Microsoft has not named a specific exposed service.
The usual deployment safeguards still apply. Test the July cumulative updates against storage, networking, endpoint security, backup, and line-of-business workloads; confirm that systems restart successfully; and monitor Microsoft’s Windows release-health documentation for newly acknowledged update issues. Those precautions should shape the rollout order rather than become justification for an open-ended delay.
Installing and verifying the July 14, 2026 cumulative update is the only documented way to close CVE-2026-50429. Until Microsoft publishes more protocol-level detail, administrators should treat the corrected OS build—not the absence of alerts or public exploit code—as the reliable indicator that a Windows machine is protected.
Detailed in Microsoft’s Security Update Guide and subsequently catalogued by the National Vulnerability Database, the flaw is an out-of-bounds read in the Windows kernel. A successful attacker could extract information over a network and cause a limited availability impact, although Microsoft has not linked the vulnerability to code execution, privilege escalation, or data modification.
The vulnerability was not publicly disclosed before the update, and Microsoft reported no evidence that it was being exploited in attacks when the advisory was published. That distinction matters, but the combination of network reachability, low attack complexity, and no authentication requirement leaves little reason to postpone July’s cumulative Windows updates.
A Network Attack With No Login Prompt
Microsoft’s CVSS vector for CVE-2026-50429 is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L. In practical terms, an attacker can potentially reach the vulnerable code over a network, does not require an existing account, and does not need to persuade a user to open a document, click a link, or run an executable.The principal impact is confidentiality. Microsoft assigns a high confidentiality impact, no integrity impact, and a low availability impact. That means the documented outcome is disclosure of information from memory rather than the direct alteration of files, installation of malware, or takeover of the affected machine.
An out-of-bounds read occurs when software reads beyond the intended boundary of a memory buffer. Depending on what occupies the adjacent memory, such a mistake can expose data that should never have been returned to the requester. Microsoft has not publicly described the exact kernel path, network protocol, packet structure, or type of information that could be recovered through CVE-2026-50429.
That lack of exploit-level detail limits immediate defensive options. Administrators cannot reliably block a documented port, disable a named service, or deploy a narrowly tailored intrusion-detection signature based on the currently public advisory. The security update is therefore the primary remedy.
The “scope unchanged” portion of the CVSS vector indicates that exploitation remains within the security authority of the vulnerable Windows component. It does not reduce the sensitivity of a kernel memory disclosure, but it helps distinguish this flaw from vulnerabilities that cross security boundaries into another component or service.
The Confidence Metric Confirms the Bug, Not Active Exploitation
The confidence language accompanying Microsoft’s advisory concerns how certain the vendor is that the vulnerability and its technical characterization are real. For CVE-2026-50429, the available CVSS temporal data records Report Confidence as confirmed, reflecting Microsoft’s acknowledgement and remediation of the underlying defect.That confidence should not be confused with evidence of attacks. Microsoft’s exploitability assessment, as reproduced in the SANS Internet Storm Center’s July 2026 Patch Tuesday tracking, showed no public disclosure and no known exploitation at release. The exploit-code maturity value was also listed as unproven.
Those two findings can coexist: Microsoft can conclusively confirm that the vulnerable code exists while having no evidence that anyone outside the reporting and remediation process has built a working exploit. The publication of a patch can nevertheless accelerate reverse engineering because researchers and attackers can compare pre-update and post-update kernel binaries to locate the corrected code.
This is why the CVSS base score deserves more operational weight than the absence of known exploitation. The vector describes a potentially remote, unauthenticated path with low attack complexity. Even if exploitation is not yet demonstrated publicly, those properties are attractive to attackers and justify prompt deployment on exposed or sensitive systems.
Microsoft’s official remediation also raises the temporal score’s remediation level to an official fix. There is no published workaround or mitigation that provides an equivalent substitute for installing the relevant cumulative update.
Supported Windows Releases Share the Exposure
Microsoft’s affected-product data spans both client and server editions. The listed releases include Windows 11 versions 24H2, 25H2, and 26H1, along with Windows 10 versions still receiving applicable security servicing, including versions 1607, 1809, 21H2, and 22H2.The server footprint is particularly broad. Microsoft identifies Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 as affected, including Server Core installations where applicable. That makes CVE-2026-50429 relevant to long-lived infrastructure as well as current Windows 11 endpoints.
The corrected build thresholds in Microsoft’s CVE data include:
- Windows 11 24H2 systems must move to build 26100.8875 or later.
- Windows 11 25H2 systems must move to build 26200.8875 or later.
- Windows 11 26H1 systems must move beyond the affected 28000.2269 threshold through the July update.
- Windows 10 22H2 and 21H2 systems must reach builds 19045.7548 and 19044.7548, respectively.
- Windows Server 2022 must reach OS build 20348.5386.
- Windows Server 2025 must reach build 26100.33158.
- Windows Server 2019 must reach build 17763.9020.
- Windows Server 2016 must reach build 14393.9339.
winver provides a quick build check, while PowerShell, Microsoft Intune, Configuration Manager, Windows Server Update Services, or another endpoint-management platform is more appropriate for fleet-wide confirmation.Windows Server 2022 receives the fix through KB5099540, which advances the operating system to build 20348.5386. Other supported releases receive the correction through their corresponding July 14 cumulative security updates. Because Windows cumulative updates supersede previous packages, installing the latest applicable update should include the CVE-2026-50429 fix without requiring a separate kernel package.
Legacy Windows 10 entries require some context. Versions such as Windows 10 1607, 1809, and 21H2 are generally relevant only where a supported servicing channel, edition, or Extended Security Updates arrangement remains in place. Unsupported machines do not become safe simply because the same code branch received a correction for supported customers.
Patch-Tuesday Volume Should Not Hide the Kernel Risk
CVE-2026-50429 arrived during an unusually large July 2026 Patch Tuesday. BleepingComputer counted 570 Microsoft vulnerabilities released that day, including 102 information-disclosure issues and three zero-days across the broader update set. The kernel flaw itself was not one of the vulnerabilities Microsoft identified as publicly disclosed or exploited.A release of that size creates a prioritization problem for enterprise IT. Vulnerability scanners may produce hundreds of new findings at once, while change-control teams still have finite testing capacity. CVE-2026-50429 stands out because its CVSS vector does not depend on local access, an authenticated account, or user action.
Server teams should therefore prioritize internet-facing Windows hosts, systems accepting connections from less-trusted network segments, and machines containing high-value credentials or business data. Domain controllers, application servers, remote-access infrastructure, and multi-tenant Windows workloads merit early testing even though Microsoft has not named a specific exposed service.
The usual deployment safeguards still apply. Test the July cumulative updates against storage, networking, endpoint security, backup, and line-of-business workloads; confirm that systems restart successfully; and monitor Microsoft’s Windows release-health documentation for newly acknowledged update issues. Those precautions should shape the rollout order rather than become justification for an open-ended delay.
Installing and verifying the July 14, 2026 cumulative update is the only documented way to close CVE-2026-50429. Until Microsoft publishes more protocol-level detail, administrators should treat the corrected OS build—not the absence of alerts or public exploit code—as the reliable indicator that a Windows machine is protected.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org