CVE-2026-50432: KB5101650 Fixes Windows VFP DoS Flaw

Microsoft’s July 14, 2026 security updates fix CVE-2026-50432, a use-after-free vulnerability in the Windows Virtual Filtering Platform that can let an authenticated attacker remotely disrupt an affected system. The flaw is rated Important by Microsoft and carries a CVSS 3.1 base score of 5.3, reflecting a serious availability impact tempered by required privileges and difficult exploitation conditions.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-50432 affects supported Windows client and server releases from Windows 10 version 1607 through Windows 11 version 26H1, as well as Windows Server 2016, 2019, 2022, and 2025. Administrators should deploy the July cumulative security updates and verify that systems have reached the fixed build for their respective release.

Windows Server Hyper-V VMs face a CVE-2026-50432 security threat, highlighted by shields and a July 2026 calendar.A Memory-Safety Bug Reaches the Virtual Switch​

CVE-2026-50432 is classified as CWE-416, or use after free. This type of memory-safety error occurs when software continues to access an object after the memory backing that object has already been released, potentially causing a crash or other unpredictable behavior.
Microsoft says an authorized attacker can exploit the bug over a network to cause a denial of service. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, meaning the vulnerable component is network-accessible, but exploitation requires low-level privileges and conditions that Microsoft considers difficult to arrange. No user interaction is required.
A successful attack is not expected to expose data or permit unauthorized modification. Microsoft assigns no confidentiality or integrity impact, while rating the availability impact as high. In practical terms, this is a disruption vulnerability rather than a route to code execution or administrative control.
The affected component deserves particular attention in virtualized and software-defined networking environments. Microsoft’s documentation describes VFP as an NDIS forwarding extension within the Hyper-V Virtual Switch, where it enforces virtual networking policies such as access-control rules, network address translation, quality of service, and traffic forwarding.
That architecture places VFP directly in a sensitive packet-processing path. A crash in this area can therefore have operational consequences beyond an ordinary application failure, particularly when a Windows Server host supports multiple virtual machines or participates in a Software Defined Networking deployment.
Microsoft has not published a proof of concept or the packet-level details required to reproduce the issue. The company has nevertheless marked the vulnerability’s report confidence as confirmed, indicating that the vendor has verified the underlying flaw even though most technical details remain private.

Authentication and Complexity Limit the Immediate Threat​

The 5.3 CVSS score may look modest beside critical Windows vulnerabilities, but its individual metrics provide a better deployment signal than the headline number. CVE-2026-50432 is remotely reachable, requires no victim action, and can produce a high availability impact. It is not, however, an unauthenticated Internet-wide crash bug.
An attacker must already possess low privileges, and the attack complexity is rated high. That suggests exploitation depends on specific target conditions, network state, packet sequencing, configuration, or other circumstances beyond simply sending one malformed packet to any Windows machine.
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment recorded no known exploitation as of July 14. It also classified exploitation as not readily automatable and the technical impact as partial. The National Vulnerability Database was still awaiting its own enrichment at publication time, so Microsoft’s CNA assessment remains the principal technical scoring source.
Those factors make emergency isolation unlikely to be justified for most environments. They do not make the update optional. A low-privileged account on a reachable network may be enough to begin an attack, and denial of service against a virtualization host, network controller component, or other infrastructure server can carry a much larger business impact than the CVSS number alone implies.
Microsoft has not identified active exploitation or public disclosure. No public exploit code was listed when the advisory was released, and the available records do not describe a workaround. The cumulative Windows security update is therefore the direct remediation path.

Fixed Builds Define the Patch Boundary​

Microsoft’s CVE record identifies affected versions using the first build containing the correction. Systems on an earlier build remain vulnerable, while the listed build or a later cumulative update contains the fix.
The principal fixed-build thresholds are:
  • Windows 10 version 1607 and Windows Server 2016 are protected at build 14393.9339 or later.
  • Windows 10 version 1809 and Windows Server 2019 are protected at build 17763.9020 or later.
  • Windows 10 versions 21H2 and 22H2 are protected at builds 19044.7548 and 19045.7548 respectively.
  • Windows Server 2022 is protected at build 20348.5386 or later.
  • Windows 11 version 24H2 is protected at build 26100.8875 or later.
  • Windows 11 version 25H2 is protected at build 26200.8875 or later.
  • Windows 11 version 26H1 is protected at build 28000.2269 or later.
  • Windows Server 2025 is protected at build 26100.33158 or later.
The Windows 11 correction for versions 24H2 and 25H2 arrives in KB5101650, Microsoft’s July 2026 cumulative update, taking those releases to builds 26100.8875 and 26200.8875. Because Windows cumulative updates supersede previous packages, installing a later applicable cumulative update should also carry the VFP correction.
Both Desktop Experience and Server Core installations are affected where Microsoft lists them. Server Core should not be treated as inherently protected merely because it has a reduced user interface and smaller application footprint; the vulnerable networking code remains part of the operating system.
The affected-product list also includes older Windows 10 branches that are no longer broadly supported for ordinary consumer installations. Their appearance reflects servicing channels such as Windows Enterprise LTSC and supported server equivalents, not a revival of general support for every device still running those version numbers.

Infrastructure Teams Have More Exposure to Map​

For a standard Windows desktop without Hyper-V, containers, virtual networking, or SDN roles in use, the practical exposure may be limited even though the operating-system build appears in Microsoft’s affected list. Microsoft has not stated that every default Windows installation presents an equally reachable VFP attack surface.
Server teams should prioritize systems according to function rather than treating all matching builds identically. Hyper-V hosts, Windows Server SDN deployments, container hosts, Azure Stack-related infrastructure, lab clusters, and machines with complex virtual-switch configurations warrant earlier testing and rollout.
Administrators should also remember that a denial-of-service vulnerability can be used as part of a broader intrusion. An attacker who has already obtained low privileges may exploit a crash condition to interrupt monitoring, disrupt workloads, force failover, complicate incident response, or repeatedly destabilize a host while other activity continues elsewhere.
After deployment, vulnerability scanners should validate the installed build rather than relying solely on Windows Update status. Endpoint-management platforms can report a device as compliant with an assigned policy while an update remains pending, has failed installation, or awaits a reboot.
For Windows 11 24H2 and 25H2, winver, the Settings app, PowerShell inventory, or management tooling should show build 26100.8875 or 26200.8875 after successful installation. Equivalent build checks should be used for the server and Windows 10 branches.
Organizations operating clustered Hyper-V hosts should follow their normal rolling-maintenance process instead of patching every node simultaneously. The flaw threatens availability, but an uncontrolled update cycle can create the same outcome administrators are trying to prevent.
CVE-2026-50432 is not the most urgent vulnerability in Microsoft’s July 2026 release, and the current evidence does not support treating it as an active zero-day. Its reach across Windows client and server builds, combined with VFP’s role in Hyper-V and software-defined networking, still makes it a meaningful infrastructure fix. The concrete endpoint is straightforward: deploy the July cumulative update, complete required restarts, and confirm that every relevant host has crossed Microsoft’s fixed-build boundary.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: microsoft.com
 

Back
Top