CVE-2026-50434 exposes sensitive information through Windows Push Notifications, and Microsoft has shipped fixes for affected Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025 systems. The flaw requires an attacker to already have local authorization, but successful exploitation can disclose data without user interaction.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly security release. The Microsoft Security Response Center rates it Important, while the National Vulnerability Database lists Microsoft’s CVSS 3.1 base score of 5.5, placing it in the Medium range.
Administrators should install the July cumulative update for each affected Windows release rather than attempt to disable push notifications. Microsoft has not documented a separate workaround or configuration-based mitigation.
Microsoft describes CVE-2026-50434 as an exposure of sensitive information to an unauthorized actor in Windows Push Notifications. The associated weakness is CWE-200, the broad category used when a product reveals information to someone who should not be able to access it.
The CVSS vector is
The practical risk therefore depends heavily on who can run code or sign in locally. A single-user PC with tightly controlled software installation presents a different exposure profile from a Remote Desktop Session Host, developer workstation, shared laboratory PC, virtual desktop pool, or server that allows multiple administrators and service identities to operate concurrently.
Local access should not be mistaken for physical access. Malware running under an ordinary user account, a malicious application, a compromised remote session, or an attacker who has obtained valid low-privilege credentials may all satisfy the local and low-privilege conditions represented by the CVSS vector.
For mainstream Windows 11 deployments, the relevant package is KB5101650. Microsoft’s release notes say it moves Windows 11 version 24H2 to build 26100.8875 and Windows 11 version 25H2 to build 26200.8875. The cumulative update is available through Windows Update, Windows Update for Business, Microsoft Update Catalog, and Windows Server Update Services.
Windows 10 version 22H2 and the remaining version 21H2 servicing configurations receive KB5099539, producing builds 19045.7548 and 19044.7548 respectively. Because Windows 10 servicing eligibility varies by edition and support program in 2026, administrators should verify that every device expected to receive extended updates is correctly enrolled and reporting a July build.
The affected and corrected build thresholds disclosed through the CVE record are:
The Windows 11 version 26H1 entry deserves attention because its listed security boundary is build 28000.2269, which Microsoft distributed with KB5095051 on June 9, 2026. July’s servicing release moves 26H1 devices beyond that level, but administrators auditing the CVE should compare installed builds rather than assume that every affected product first received its fix in the same package.
Windows 11 version 23H2 does not appear in Microsoft’s affected-product data for CVE-2026-50434. Its absence should not be interpreted as a reason to skip the July cumulative update, which contains fixes for other Windows vulnerabilities, but it indicates that Microsoft has not identified 23H2 as vulnerable to this particular push-notification issue.
That lack of detail restricts defenders’ ability to build a reliable behavioral detection specifically for CVE-2026-50434. Security teams can monitor suspicious local processes, unusual access between user sessions, and post-compromise activity, but the available advisory does not provide a distinctive event ID, file-access pattern, process name, or notification payload that definitively identifies exploitation.
CISA’s vulnerability record marked exploitation as “none” on July 14 and assessed the activity as non-automatable with partial technical impact. That indicates no known exploitation was recorded at publication, not that exploitation is impossible or that defenders can safely defer the update.
The vulnerability’s low attack complexity is the more relevant signal for patch prioritization. Once researchers or attackers determine the precise disclosure mechanism, exploitation may not require an elaborate race condition or extensive preparation. Microsoft’s confirmation of the issue also gives would-be attackers a bounded set of Windows builds and a named subsystem to compare before and after patching.
Information-disclosure flaws frequently matter most as part of an attack chain. Data exposed by one vulnerability can help malware cross a security boundary, identify another user’s activity, recover secrets, or undermine protections that depend on information remaining unpredictable. Microsoft has not said that CVE-2026-50434 enables any particular follow-on attack, so such scenarios remain risk considerations rather than confirmed capabilities.
Administrators should instead use their normal endpoint-management tooling to identify machines below the fixed build thresholds. Microsoft Intune, Configuration Manager, Windows Update for Business reporting, PowerShell inventory, and third-party patch platforms can all provide the installed OS build needed for comparison.
Testing remains appropriate because the July cumulative updates contain more than the CVE-2026-50434 fix. For example, KB5101650 introduces networking hardening around third-party Transport Driver Interface transports and includes other security and quality changes. Microsoft currently reports no known issues for KB5101650, but organizations with legacy networking software should still validate the complete update in representative rings.
After deployment, administrators can confirm the Windows version and OS build by running
CVE-2026-50434 is not a remote, unauthenticated emergency, but it is a confirmed confidentiality flaw with low-complexity exploitation and no user-interaction requirement. The concrete endpoint for remediation is straightforward: move affected systems to the applicable July 2026 cumulative build—or later—and investigate any device that remains below it because of servicing failures, unsupported software, or lapsed Windows 10 update eligibility.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly security release. The Microsoft Security Response Center rates it Important, while the National Vulnerability Database lists Microsoft’s CVSS 3.1 base score of 5.5, placing it in the Medium range.
Administrators should install the July cumulative update for each affected Windows release rather than attempt to disable push notifications. Microsoft has not documented a separate workaround or configuration-based mitigation.
Local Access Limits the Attack, Not the Disclosure
Microsoft describes CVE-2026-50434 as an exposure of sensitive information to an unauthorized actor in Windows Push Notifications. The associated weakness is CWE-200, the broad category used when a product reveals information to someone who should not be able to access it.The CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. That string establishes several important boundaries around the vulnerability:- An attacker must operate locally rather than exploit the flaw directly across a network.
- Exploitation has low complexity and requires only low privileges.
- The victim does not need to click, open, or approve anything.
- The expected impact is limited to confidentiality, with no direct integrity or availability impact recorded.
The practical risk therefore depends heavily on who can run code or sign in locally. A single-user PC with tightly controlled software installation presents a different exposure profile from a Remote Desktop Session Host, developer workstation, shared laboratory PC, virtual desktop pool, or server that allows multiple administrators and service identities to operate concurrently.
Local access should not be mistaken for physical access. Malware running under an ordinary user account, a malicious application, a compromised remote session, or an attacker who has obtained valid low-privilege credentials may all satisfy the local and low-privilege conditions represented by the CVSS vector.
The July Builds Mark the Security Boundary
The CVE record identifies affected versions by their pre-fix build ranges. Systems at or above the corrected July 2026 builds are outside those vulnerable ranges.For mainstream Windows 11 deployments, the relevant package is KB5101650. Microsoft’s release notes say it moves Windows 11 version 24H2 to build 26100.8875 and Windows 11 version 25H2 to build 26200.8875. The cumulative update is available through Windows Update, Windows Update for Business, Microsoft Update Catalog, and Windows Server Update Services.
Windows 10 version 22H2 and the remaining version 21H2 servicing configurations receive KB5099539, producing builds 19045.7548 and 19044.7548 respectively. Because Windows 10 servicing eligibility varies by edition and support program in 2026, administrators should verify that every device expected to receive extended updates is correctly enrolled and reporting a July build.
The affected and corrected build thresholds disclosed through the CVE record are:
| Windows release | Architecture | Corrected build threshold |
|---|---|---|
| Windows 10 version 21H2 | x86, x64 and ARM64 | 19044.7548 |
| Windows 10 version 22H2 | x86, x64 and ARM64 | 19045.7548 |
| Windows 11 version 24H2 | x64 and ARM64 | 26100.8875 |
| Windows 11 version 25H2 | x64 and ARM64 | 26200.8875 |
| Windows 11 version 26H1 | x64 and ARM64 | 28000.2269 |
| Windows Server 2022 | x64 | 20348.5386 |
| Windows Server 2025 | x64 | 26100.33158 |
| Windows Server 2025 Server Core | x64 | 26100.33158 |
Windows 11 version 23H2 does not appear in Microsoft’s affected-product data for CVE-2026-50434. Its absence should not be interpreted as a reason to skip the July cumulative update, which contains fixes for other Windows vulnerabilities, but it indicates that Microsoft has not identified 23H2 as vulnerable to this particular push-notification issue.
Sparse Technical Detail Keeps Detection Options Narrow
Microsoft has not publicly described the data that can be exposed, the vulnerable operation inside Windows Push Notifications, or the component files changed to close the flaw. There is also no public proof-of-concept attached to the advisory.That lack of detail restricts defenders’ ability to build a reliable behavioral detection specifically for CVE-2026-50434. Security teams can monitor suspicious local processes, unusual access between user sessions, and post-compromise activity, but the available advisory does not provide a distinctive event ID, file-access pattern, process name, or notification payload that definitively identifies exploitation.
CISA’s vulnerability record marked exploitation as “none” on July 14 and assessed the activity as non-automatable with partial technical impact. That indicates no known exploitation was recorded at publication, not that exploitation is impossible or that defenders can safely defer the update.
The vulnerability’s low attack complexity is the more relevant signal for patch prioritization. Once researchers or attackers determine the precise disclosure mechanism, exploitation may not require an elaborate race condition or extensive preparation. Microsoft’s confirmation of the issue also gives would-be attackers a bounded set of Windows builds and a named subsystem to compare before and after patching.
Information-disclosure flaws frequently matter most as part of an attack chain. Data exposed by one vulnerability can help malware cross a security boundary, identify another user’s activity, recover secrets, or undermine protections that depend on information remaining unpredictable. Microsoft has not said that CVE-2026-50434 enables any particular follow-on attack, so such scenarios remain risk considerations rather than confirmed capabilities.
Inventory Comes Before Notification Tweaks
Disabling application notifications is not a documented fix. Windows Push Notification Services form part of the platform’s application and system-notification infrastructure, and changing user-facing notification settings should not be assumed to remove the vulnerable code path.Administrators should instead use their normal endpoint-management tooling to identify machines below the fixed build thresholds. Microsoft Intune, Configuration Manager, Windows Update for Business reporting, PowerShell inventory, and third-party patch platforms can all provide the installed OS build needed for comparison.
Testing remains appropriate because the July cumulative updates contain more than the CVE-2026-50434 fix. For example, KB5101650 introduces networking hardening around third-party Transport Driver Interface transports and includes other security and quality changes. Microsoft currently reports no known issues for KB5101650, but organizations with legacy networking software should still validate the complete update in representative rings.
After deployment, administrators can confirm the Windows version and OS build by running
winver, checking the device record in their management platform, or querying Windows through PowerShell. Merely seeing a successful update installation event is less useful than verifying that the machine actually reached the required build and completed its restart.CVE-2026-50434 is not a remote, unauthenticated emergency, but it is a confirmed confidentiality flaw with low-complexity exploitation and no user-interaction requirement. The concrete endpoint for remediation is straightforward: move affected systems to the applicable July 2026 cumulative build—or later—and investigate any device that remains below it because of servicing failures, unsupported software, or lapsed Windows 10 update eligibility.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com