CVE-2026-50459 is a newly patched Windows Kernel elevation-of-privilege vulnerability that can let an unauthorized local attacker gain higher privileges after triggering a use-after-free memory error. Microsoft published the flaw on July 14, 2026, with a CVSS 3.1 base score of 7.0 and an Important severity rating, making this month’s cumulative Windows updates the practical fix.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, CVE-2026-50459 affects supported Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025 releases. Microsoft assesses exploitation as less likely, and neither Microsoft nor CISA currently reports active exploitation.
The vulnerability is not remotely exploitable by itself. An attacker must operate in a local context, overcome high-complexity conditions, and induce user interaction, but the CVSS vector does not require the attacker to begin with an already privileged account.
Microsoft describes CVE-2026-50459 as a use-after-free vulnerability in the Windows Kernel. This class of defect occurs when software continues to access memory after the object occupying that memory has been released, potentially allowing an attacker to influence what the application or operating system finds at the old address.
Kernel use-after-free vulnerabilities are particularly significant because the affected code operates at the heart of Windows. Successful exploitation can cross a security boundary between an untrusted process and privileged operating-system resources, potentially compromising the confidentiality, integrity, and availability of the affected device.
Microsoft assigned the following CVSS 3.1 vector:
That vector describes an attack with these characteristics:
Microsoft has not publicly documented the precise user action, vulnerable kernel routine, memory layout requirement, or reliable exploitation sequence. Administrators should therefore avoid assuming that a particular browser, document type, executable format, or Windows feature provides protection unless Microsoft publishes additional technical guidance.
The corrected build thresholds include:
Windows Server 2025 Server Core installations are also affected and share the corrected build threshold of 26100.33158. The Server Core designation matters because removing the desktop interface does not remove the vulnerable kernel code.
For Windows 11 versions 24H2 and 25H2, Microsoft delivers the fix through the July cumulative update KB5101650. That package moves Windows 11 24H2 to build 26100.8875 and Windows 11 25H2 to build 26200.8875.
Because Windows security updates are cumulative, organizations do not need to deploy a separate CVE-specific package. Installing the applicable July 14 cumulative security update—or a later cumulative update that supersedes it—brings in the kernel correction alongside the rest of that month’s security and quality changes.
Administrators should verify the installed OS build rather than relying solely on an update-management console showing that a deployment was approved. Devices can remain below the fixed build because of installation failures, safeguard holds, servicing problems, extended offline periods, or reboot requirements.
That is separate from exploit maturity. Microsoft’s exploitability assessment says exploitation is less likely, while CISA’s Stakeholder-Specific Vulnerability Categorization data records no known exploitation and describes the attack as not automatable.
Those ratings reduce the case for emergency, out-of-band disruption, but they do not make the patch optional. CISA also assesses the potential technical impact as total, reflecting the broad consequences possible if exploitation succeeds.
The high attack-complexity score is another moderating factor. Reliable use-after-free exploitation can depend on timing, memory reuse, system state, processor architecture, enabled security features, or a carefully arranged sequence of operations. Those constraints may make a proof of concept unreliable across Windows builds while still leaving selected systems exploitable under controlled conditions.
The absence of known exploitation is also a point-in-time judgment. Microsoft released the advisory on July 14, 2026, and public documentation remains sparse one day later. Attackers can compare patched and unpatched kernel binaries after Patch Tuesday, a process known as patch diffing, to identify the changed code and investigate possible exploitation paths.
Enterprise IT teams should deploy the applicable cumulative update through Windows Update for Business, Windows Autopatch, Microsoft Intune, Windows Server Update Services, Configuration Manager, or their normal patch-management platform. Kernel changes generally require a restart before the corrected code is active, so compliance reporting should distinguish between an update that has downloaded and one that has completed installation.
CVE-2026-50459 should receive particular attention on systems where untrusted code is more likely to execute, including shared workstations, virtual desktop hosts, developer machines, jump boxes, and servers that run third-party agents or user-submitted workloads. Endpoint detection controls remain useful for preventing the initial execution stage, but they are not substitutes for correcting the kernel defect.
Organizations should also watch for revisions to the Microsoft Security Update Guide entry. The advisory currently does not expose enough technical detail to create dependable CVE-specific detection logic, and no vendor workaround or configuration-based mitigation has been identified as an alternative to updating.
The immediate operational target is therefore concrete: move every affected machine to its listed fixed build or later, confirm that required restarts have completed, and investigate any endpoint that cannot accept the July cumulative update. CVE-2026-50459 is not presently a zero-day emergency, but an unpatched Windows kernel remains a valuable second stage for any attacker who can persuade a user or process to trigger it.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, CVE-2026-50459 affects supported Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025 releases. Microsoft assesses exploitation as less likely, and neither Microsoft nor CISA currently reports active exploitation.
The vulnerability is not remotely exploitable by itself. An attacker must operate in a local context, overcome high-complexity conditions, and induce user interaction, but the CVSS vector does not require the attacker to begin with an already privileged account.
A Kernel Memory Error With High Impact
Microsoft describes CVE-2026-50459 as a use-after-free vulnerability in the Windows Kernel. This class of defect occurs when software continues to access memory after the object occupying that memory has been released, potentially allowing an attacker to influence what the application or operating system finds at the old address.Kernel use-after-free vulnerabilities are particularly significant because the affected code operates at the heart of Windows. Successful exploitation can cross a security boundary between an untrusted process and privileged operating-system resources, potentially compromising the confidentiality, integrity, and availability of the affected device.
Microsoft assigned the following CVSS 3.1 vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HThat vector describes an attack with these characteristics:
- Exploitation must be performed locally rather than directly across a network.
- The attack requires conditions outside the attacker’s direct control, producing a high attack-complexity rating.
- No existing privileges are required at the start of the documented attack path.
- A separate user must take some action for exploitation to succeed.
- A successful attack can have a high impact on data confidentiality, data integrity, and system availability.
Microsoft has not publicly documented the precise user action, vulnerable kernel routine, memory layout requirement, or reliable exploitation sequence. Administrators should therefore avoid assuming that a particular browser, document type, executable format, or Windows feature provides protection unless Microsoft publishes additional technical guidance.
The Patch Line Runs Across Windows Client and Server
The CVE record identifies affected releases across x86, x64, and Arm64 systems. A device remains vulnerable when its Windows build is below the corrected build specified for that product branch.The corrected build thresholds include:
| Windows release | Patched build threshold |
|---|---|
| Windows 10 version 21H2 | 19044.7548 |
| Windows 10 version 22H2 | 19045.7548 |
| Windows 11 version 24H2 | 26100.8875 |
| Windows 11 version 25H2 | 26200.8875 |
| Windows 11 version 26H1 | 28000.2269 |
| Windows Server 2022 | 20348.5386 |
| Windows Server 2025 | 26100.33158 |
For Windows 11 versions 24H2 and 25H2, Microsoft delivers the fix through the July cumulative update KB5101650. That package moves Windows 11 24H2 to build 26100.8875 and Windows 11 25H2 to build 26200.8875.
Because Windows security updates are cumulative, organizations do not need to deploy a separate CVE-specific package. Installing the applicable July 14 cumulative security update—or a later cumulative update that supersedes it—brings in the kernel correction alongside the rest of that month’s security and quality changes.
Administrators should verify the installed OS build rather than relying solely on an update-management console showing that a deployment was approved. Devices can remain below the fixed build because of installation failures, safeguard holds, servicing problems, extended offline periods, or reboot requirements.
“Confirmed” Does Not Mean Exploitation Is Underway
The supplied report-confidence language describes how strongly the vendor can substantiate the flaw, not how likely attackers are to exploit it. In this case, confidence is high because Microsoft has formally acknowledged the vulnerability and issued corrected Windows builds.That is separate from exploit maturity. Microsoft’s exploitability assessment says exploitation is less likely, while CISA’s Stakeholder-Specific Vulnerability Categorization data records no known exploitation and describes the attack as not automatable.
Those ratings reduce the case for emergency, out-of-band disruption, but they do not make the patch optional. CISA also assesses the potential technical impact as total, reflecting the broad consequences possible if exploitation succeeds.
The high attack-complexity score is another moderating factor. Reliable use-after-free exploitation can depend on timing, memory reuse, system state, processor architecture, enabled security features, or a carefully arranged sequence of operations. Those constraints may make a proof of concept unreliable across Windows builds while still leaving selected systems exploitable under controlled conditions.
The absence of known exploitation is also a point-in-time judgment. Microsoft released the advisory on July 14, 2026, and public documentation remains sparse one day later. Attackers can compare patched and unpatched kernel binaries after Patch Tuesday, a process known as patch diffing, to identify the changed code and investigate possible exploitation paths.
Patch Broadly, Then Verify the Kernel Build
For home and unmanaged Windows PCs, the appropriate response is to install the July 2026 security update through Settings, Windows Update, and restart when prompted. Runningwinver afterward provides a quick check of the installed Windows version and OS build.Enterprise IT teams should deploy the applicable cumulative update through Windows Update for Business, Windows Autopatch, Microsoft Intune, Windows Server Update Services, Configuration Manager, or their normal patch-management platform. Kernel changes generally require a restart before the corrected code is active, so compliance reporting should distinguish between an update that has downloaded and one that has completed installation.
CVE-2026-50459 should receive particular attention on systems where untrusted code is more likely to execute, including shared workstations, virtual desktop hosts, developer machines, jump boxes, and servers that run third-party agents or user-submitted workloads. Endpoint detection controls remain useful for preventing the initial execution stage, but they are not substitutes for correcting the kernel defect.
Organizations should also watch for revisions to the Microsoft Security Update Guide entry. The advisory currently does not expose enough technical detail to create dependable CVE-specific detection logic, and no vendor workaround or configuration-based mitigation has been identified as an alternative to updating.
The immediate operational target is therefore concrete: move every affected machine to its listed fixed build or later, confirm that required restarts have completed, and investigate any endpoint that cannot accept the July cumulative update. CVE-2026-50459 is not presently a zero-day emergency, but an unpatched Windows kernel remains a valuable second stage for any attacker who can persuade a user or process to trigger it.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org
- Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com