CVE-2026-50454: Install KB5101650 to Fix Windows 11 Elevation Flaw

CVE-2026-50454 is a high-severity elevation-of-privilege vulnerability in Windows User Interface Core that can let an authenticated local attacker gain substantially broader control of an affected PC or server. Microsoft addressed the flaw in security updates covering Windows 11 versions 24H2, 25H2 and 26H1, along with Windows Server 2025 and its Server Core installation option.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 7.8. Microsoft describes the underlying weakness as relative path traversal in Windows User Interface Core, while the CVE record classifies it as CWE-23: Relative Path Traversal.
This is not a remote, unauthenticated entry point. An attacker must already possess low-level privileges and the ability to execute code locally, but successful exploitation could compromise confidentiality, integrity and availability at a high level.

A hooded hacker targets Windows while a shield shows CVE-2026-50454 patched and privilege escalation blocked.A Local Foothold Could Become a Full Compromise​

The CVSS vector for CVE-2026-50454 is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attack is local, has low complexity, requires low privileges and does not require another user to click a file, approve a prompt or perform some other action.
That combination makes the flaw particularly relevant to environments where an attacker may initially land in a restricted user account. Phishing, malicious installers, compromised developer tools and abused remote-access credentials can all provide the kind of initial foothold from which a local privilege-escalation exploit becomes useful.
Microsoft has not published a detailed exploitation sequence, and the public CVE description does not identify a specific executable, service or user-interface workflow. The available information indicates that Windows User Interface Core improperly handles a relative path, potentially allowing an attacker-controlled path to resolve somewhere the operating system did not intend.
Path-traversal weaknesses are often associated with reading or writing files outside an expected directory. In a privilege-escalation context, the concern is that a less-trusted process could influence a more privileged Windows component’s interaction with files, resources or executable content.
The CVSS assessment assigns high impact to confidentiality, integrity and availability. That means successful exploitation could theoretically enable access to protected information, unauthorized changes and disruption of system resources, although Microsoft has not publicly documented the exact post-exploitation capabilities for this CVE.
The score’s unchanged scope designation is also important. It indicates that the security impact remains within the same Windows security authority rather than crossing into a separately controlled service, but it does not make the outcome minor. A local attacker who moves from a standard account into an administrative or system-level context may effectively take control of the machine.

The Affected Windows Builds Draw a Clear Patch Line​

The official CVE record identifies a narrower product set than many broadly applicable Windows vulnerabilities. Windows 10, Windows Server 2022 and older supported server releases are not listed as affected at publication time.
Affected installations include:
  • Windows 11 24H2 on x64 and ARM64 systems before build 26100.8875.
  • Windows 11 25H2 on x64 and ARM64 systems before build 26200.8875.
  • Windows 11 26H1 on x64 and ARM64 systems before build 28000.2269.
  • Windows Server 2025 before build 26100.33158.
  • Windows Server 2025 Server Core before build 26100.33158.
For Windows 11 24H2 and 25H2, Microsoft’s July cumulative update KB5101650 advances the operating systems to builds 26100.8875 and 26200.8875 respectively. Devices on either branch that remain below those build numbers should be treated as vulnerable.
The Windows 11 26H1 boundary is less intuitive because build 28000.2269 was delivered with the June 9 security update KB5095051. According to Microsoft’s version ranges, systems already running that build or a later one are beyond the affected range even though CVE-2026-50454 was publicly documented on July 14.
That chronology suggests the relevant code correction was already present in the June 26H1 servicing baseline, with Microsoft’s July CVE publication formalizing the vulnerability record. Administrators should rely on the affected-version data rather than assuming that every CVE announced in July necessarily requires a July-dated package on every Windows branch.
For Windows Server 2025, both Desktop Experience and Server Core require a build at or above 26100.33158. Server Core’s reduced graphical footprint does not remove exposure because Windows User Interface Core components can remain part of the underlying operating-system servicing surface.
Administrators can verify a client build by running winver or checking Settings > System > About. At scale, Microsoft Intune, Configuration Manager, Windows Update for Business reporting, PowerShell inventory or another endpoint-management platform should be used to locate devices below the fixed builds.

“Confirmed” Describes Evidence, Not Active Exploitation​

The report-confidence language included in Microsoft’s advisory is part of the CVSS temporal metrics framework. A rating of confirmed means that detailed reports, reproducible evidence or vendor acknowledgement establishes that the vulnerability exists.
It does not mean Microsoft has confirmed attacks in the wild.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation as of July 14. It also classified exploitation as non-automatable, indicating that exploitation is not presently assessed as a simple end-to-end operation that can be indiscriminately launched across targets without meaningful attacker preparation.
The National Vulnerability Database was still awaiting its own enrichment when the record appeared, but it displayed Microsoft’s 7.8 CNA score and affected-version information. Microsoft, as the assigning CVE Numbering Authority and vendor of the affected products, is currently the primary source for the technical scope.
No public proof-of-concept exploit, detailed root-cause analysis or named researcher acknowledgement was visible in the initial record. That limits defenders’ ability to hunt for one precise artifact, but it also limits attackers who would otherwise be able to copy a published exploit.
That information gap should not be interpreted as proof that exploitation is impractical. Local privilege-escalation vulnerabilities are frequently combined with separate initial-access techniques, and technical details can emerge after patches have been distributed and binaries become available for comparison.

Enterprise Priority Depends on Who Can Run Code​

CVE-2026-50454 does not carry the urgency of an internet-facing, pre-authentication remote-code-execution flaw. A properly segmented server that does not permit interactive use presents a different risk profile from a shared workstation, virtual desktop host or developer machine where untrusted code is routinely executed.
Still, the low attack complexity and absence of required user interaction make timely cumulative-update deployment the appropriate response. Once an attacker has authenticated local access, the vulnerability does not depend on persuading another user to participate.
Higher-priority systems include multi-user endpoints, pooled virtual desktops, administrative jump boxes and Windows Server 2025 hosts on which non-administrators can execute programs. Workstations used for software development, package testing or handling files from external sources also deserve attention because their users routinely run code from varied origins.
Security teams should continue to enforce least privilege and application control rather than treating the cumulative update as a complete answer. Microsoft Defender Application Control, AppLocker, attack-surface reduction rules and restrictions on interactive server logons can reduce the opportunities available to an attacker who obtains a standard account.
There is no separate workaround documented in the public CVE record that provides an equivalent substitute for the fixed Windows components. The practical remediation is to install the appropriate cumulative security update, restart where required and verify that the resulting build meets or exceeds Microsoft’s corrected version.
For most Windows 11 24H2 and 25H2 estates, that means confirming deployment of KB5101650 and builds 26100.8875 or 26200.8875. Windows 11 26H1 systems should be on build 28000.2269 or later, while Windows Server 2025 must reach build 26100.33158 or newer.
The unresolved issue is whether deeper technical details or functional exploit code will surface after researchers examine the patched binaries. Until then, CVE-2026-50454 remains a confirmed, high-impact local escalation flaw without reported active exploitation—and a straightforward reason to ensure July’s Windows servicing baselines have actually reached every affected machine.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top