CVE-2026-50431 exposes sensitive information through the Windows Quality of Service Packet Scheduler, affecting supported Windows 10, Windows 11, and Windows Server releases until July 2026 security updates are installed. Microsoft rates the flaw Important, although its CVSS 3.1 base score is a more moderate 5.5 because exploitation requires an attacker who already has local access and limited privileges.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is classified as an information-disclosure issue in the Windows QoS Packet Scheduler. Microsoft’s exploitability assessment says exploitation is less likely, and the company had not identified public disclosure or active attacks when the advisory was released.
The National Vulnerability Database lists the record as awaiting further enrichment, underscoring how little technical detail is publicly available. The existence of the vulnerability and its affected component are confirmed, but Microsoft has not published a proof of concept, a detailed root-cause analysis, or a description of the specific information that can be recovered.
The CVSS vector for CVE-2026-50431 is
The attacker needs low-level privileges rather than administrator access, and no additional user interaction is required. A victim does not have to open a specially crafted document, visit a website, or approve a prompt after the attacker reaches the necessary local execution position.
Successful exploitation can have a high impact on confidentiality. Microsoft assigns no direct integrity or availability impact, meaning the vulnerability is not documented as a route to changing protected data, obtaining SYSTEM privileges, executing code remotely, or crashing the machine.
That distinction should shape prioritization. CVE-2026-50431 is not an unauthenticated network attack against QoS-enabled Windows computers, despite its location in a packet-scheduling component. The local attack vector means a remote adversary would generally need another vulnerability, stolen credentials, malicious software, or an exposed management path to establish the initial foothold.
Its value may therefore be greatest as part of an exploit chain. Information-disclosure vulnerabilities can reveal memory contents, system state, addresses, credentials, cryptographic material, or other data that helps an attacker bypass protections and make a separate privilege-escalation exploit more reliable. Microsoft has not specified which category of information CVE-2026-50431 exposes, so administrators should avoid assuming the leak is either trivial or credential-related.
That confirmed status does not mean working exploit code is circulating. The corresponding
This is an important reading of the generic confidence text displayed in Microsoft’s Security Update Guide. Report Confidence measures certainty that the vulnerability exists and that the published technical classification is credible. It does not measure whether exploitation has been seen in ransomware operations, whether a proof of concept has reached GitHub, or whether the flaw is remotely reachable.
Microsoft’s July assessment provides several useful boundaries:
Server products are also affected, including older Windows Server branches and Windows Server 2025, with Server Core installations represented in the product data. The presence of legacy releases does not mean every ordinary consumer PC remains entitled to a patch; some Windows 10 and Windows Server versions receive updates only through specific servicing channels, editions, or Extended Security Updates arrangements.
Among the corrected build thresholds published in the CVE data are:
The references associated with Windows 11 version 26H1 include KB5095051, originally released on June 9, 2026, indicating that some branches may already contain the correction through an earlier cumulative servicing level. This is normal for Microsoft’s cumulative update model: protection is determined by the installed build and supersedence chain, not simply by whether a machine downloaded an update bearing a July date.
The Windows QoS Packet Scheduler is part of the networking stack and can operate below the policies most administrators interact with. Microsoft has not published enough root-cause detail to establish that turning off a particular policy path eliminates access to the vulnerable code.
For enterprise deployments, the appropriate response is to install the applicable July cumulative update—or a later update that supersedes it—after normal compatibility testing. Because Windows cumulative updates address many vulnerabilities at once and generally require a restart, CVE-2026-50431 should be handled as part of the full July 2026 Windows servicing cycle rather than as a standalone package.
Security teams should also resist ranking it solely by its 5.5 score. Systems used by multiple untrusted users, Remote Desktop Session Hosts, developer workstations, virtual desktop infrastructure, jump boxes, and servers where application identities share an operating system present more opportunities for a low-privileged local attacker to reach an information leak.
For ordinary single-user Windows PCs, the immediate risk remains lower than that of a remotely exploitable or actively attacked vulnerability. The concrete action is nevertheless the same: verify that each supported endpoint has reached the corrected build for its servicing branch, and watch for any later Microsoft revision that clarifies what the QoS Packet Scheduler can disclose.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is classified as an information-disclosure issue in the Windows QoS Packet Scheduler. Microsoft’s exploitability assessment says exploitation is less likely, and the company had not identified public disclosure or active attacks when the advisory was released.
The National Vulnerability Database lists the record as awaiting further enrichment, underscoring how little technical detail is publicly available. The existence of the vulnerability and its affected component are confirmed, but Microsoft has not published a proof of concept, a detailed root-cause analysis, or a description of the specific information that can be recovered.
Local Access Keeps the Threat Contained, Not Harmless
The CVSS vector for CVE-2026-50431 is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, an attacker must be able to execute code or otherwise interact with the vulnerable system locally, but exploitation is considered low complexity once that foothold exists.The attacker needs low-level privileges rather than administrator access, and no additional user interaction is required. A victim does not have to open a specially crafted document, visit a website, or approve a prompt after the attacker reaches the necessary local execution position.
Successful exploitation can have a high impact on confidentiality. Microsoft assigns no direct integrity or availability impact, meaning the vulnerability is not documented as a route to changing protected data, obtaining SYSTEM privileges, executing code remotely, or crashing the machine.
That distinction should shape prioritization. CVE-2026-50431 is not an unauthenticated network attack against QoS-enabled Windows computers, despite its location in a packet-scheduling component. The local attack vector means a remote adversary would generally need another vulnerability, stolen credentials, malicious software, or an exposed management path to establish the initial foothold.
Its value may therefore be greatest as part of an exploit chain. Information-disclosure vulnerabilities can reveal memory contents, system state, addresses, credentials, cryptographic material, or other data that helps an attacker bypass protections and make a separate privilege-escalation exploit more reliable. Microsoft has not specified which category of information CVE-2026-50431 exposes, so administrators should avoid assuming the leak is either trivial or credential-related.
The Confidence Metric Confirms the Bug, Not an Attack Method
The advisory’s temporal metrics separate confidence in the vulnerability from evidence that attackers can exploit it. CVE-2026-50431 carriesRC:C, or Report Confidence: Confirmed, because Microsoft has acknowledged the flaw, assigned a CVE, identified affected Windows versions, and shipped a correction.That confirmed status does not mean working exploit code is circulating. The corresponding
E:U value indicates unproven exploit-code maturity, while RL:O records that an official remediation is available. Those temporal values reduce the score below the 5.5 base rating, but they do not change Microsoft’s Important severity designation.This is an important reading of the generic confidence text displayed in Microsoft’s Security Update Guide. Report Confidence measures certainty that the vulnerability exists and that the published technical classification is credible. It does not measure whether exploitation has been seen in ransomware operations, whether a proof of concept has reached GitHub, or whether the flaw is remotely reachable.
Microsoft’s July assessment provides several useful boundaries:
- Exploitation is considered less likely on the latest Windows releases.
- Microsoft found no assessment for exploitation against older software.
- The vulnerability was not publicly disclosed before the coordinated release.
- Microsoft was not aware of exploitation in the wild on July 14, 2026.
The Affected Range Spans Old and New Windows Branches
The CVE record identifies a wide Windows footprint. Affected desktop releases include Windows 10 version 1607, Windows 10 version 1809, Windows 10 versions 21H2 and 22H2, Windows 11 version 24H2, Windows 11 version 25H2, and Windows 11 version 26H1.Server products are also affected, including older Windows Server branches and Windows Server 2025, with Server Core installations represented in the product data. The presence of legacy releases does not mean every ordinary consumer PC remains entitled to a patch; some Windows 10 and Windows Server versions receive updates only through specific servicing channels, editions, or Extended Security Updates arrangements.
Among the corrected build thresholds published in the CVE data are:
- Windows 10 version 1607 is corrected at OS build 14393.9339 through KB5099535.
- Windows 10 version 1809 is corrected at OS build 17763.9020 through KB5099538.
- Windows 10 versions 21H2 and 22H2 are corrected at build 19044.7548 and 19045.7548, respectively.
- Windows 11 versions 24H2 and 25H2 are corrected at builds 26100.8875 and 26200.8875.
- Windows 11 version 26H1 is corrected at build 28000.2269.
- Windows Server 2025 is corrected at or beyond the servicing level associated with build 26100.33158.
winver, PowerShell inventory, Microsoft Intune, Configuration Manager, Windows Admin Center, or their vulnerability-management platform.The references associated with Windows 11 version 26H1 include KB5095051, originally released on June 9, 2026, indicating that some branches may already contain the correction through an earlier cumulative servicing level. This is normal for Microsoft’s cumulative update model: protection is determined by the installed build and supersedence chain, not simply by whether a machine downloaded an update bearing a July date.
Patch the Chain Rather Than Hunting for a QoS Workaround
Microsoft lists no mitigation or workaround for CVE-2026-50431. Disabling a visible QoS policy, removing a Group Policy configuration, or assuming that a computer does not use application-defined traffic prioritization should not be treated as equivalent to installing the security update.The Windows QoS Packet Scheduler is part of the networking stack and can operate below the policies most administrators interact with. Microsoft has not published enough root-cause detail to establish that turning off a particular policy path eliminates access to the vulnerable code.
For enterprise deployments, the appropriate response is to install the applicable July cumulative update—or a later update that supersedes it—after normal compatibility testing. Because Windows cumulative updates address many vulnerabilities at once and generally require a restart, CVE-2026-50431 should be handled as part of the full July 2026 Windows servicing cycle rather than as a standalone package.
Security teams should also resist ranking it solely by its 5.5 score. Systems used by multiple untrusted users, Remote Desktop Session Hosts, developer workstations, virtual desktop infrastructure, jump boxes, and servers where application identities share an operating system present more opportunities for a low-privileged local attacker to reach an information leak.
For ordinary single-user Windows PCs, the immediate risk remains lower than that of a remotely exploitable or actively attacked vulnerability. The concrete action is nevertheless the same: verify that each supported endpoint has reached the corrected build for its servicing branch, and watch for any later Microsoft revision that clarifies what the QoS Packet Scheduler can disclose.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org