CVE-2026-50463: July Updates Fix Remote Windows Kernel Data Leak

CVE-2026-50463 is a remotely reachable Windows Kernel information-disclosure flaw that can expose sensitive memory without authentication or user interaction. Microsoft addressed the vulnerability in its July 14, 2026 security updates, and administrators should prioritize supported Windows clients and servers that accept untrusted network traffic.
Detailed in the Microsoft Security Response Center’s July Patch Tuesday advisory, the vulnerability carries an Important severity rating and a CVSS 3.1 base score of 7.5. The National Vulnerability Database describes the underlying weakness as an out-of-bounds read, tracked as CWE-125, in the Windows Kernel.
Microsoft’s scoring vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. In practical terms, an attacker can potentially trigger the flaw across a network with low attack complexity, without holding an account and without persuading a user to open a file or click a link.
At publication, Microsoft had not marked CVE-2026-50463 as publicly disclosed or exploited in attacks. SANS Internet Storm Center also listed it as neither public nor exploited, with Microsoft assessing exploitation as less likely. That lowers the immediate emergency level, but the network attack vector and high confidentiality impact make delayed patching difficult to justify on exposed systems.

Cybersecurity illustration showing protected servers, Windows systems, data networks, and cyberattack threats.The Score Points to Data Theft, Not System Takeover​

CVE-2026-50463 does not directly grant code execution, administrative privileges, or the ability to alter data. Its CVSS vector assigns no integrity or availability impact, meaning Microsoft has not described the bug as a route to modifying the system or crashing it.
The risk is instead concentrated entirely in confidentiality. An out-of-bounds read occurs when software reads beyond the intended boundary of a memory buffer, potentially returning adjacent data that should never have been included in a response. Depending on the affected kernel path and the contents of nearby memory, that can disclose information useful for reconnaissance or subsequent exploitation.
Microsoft has not publicly documented exactly which kernel interface is involved, what network traffic reaches the vulnerable code, or which memory objects may be exposed. There is consequently no evidence that CVE-2026-50463 independently reveals credentials, cryptographic keys, or other specific secrets. Those outcomes should be treated as possibilities associated with memory-disclosure flaws, not confirmed behavior for this CVE.
That distinction matters when triaging a large Patch Tuesday deployment. CVE-2026-50463 is not equivalent to an unauthenticated remote-code-execution vulnerability, but it also is not a harmless diagnostic leak. Information disclosure can weaken security boundaries, reveal system state, and make another vulnerability easier to exploit reliably.

Microsoft’s Confidence Rating Leaves Little Ambiguity​

The advisory’s temporal scoring uses RC:C, meaning Report Confidence: Confirmed. This metric addresses confidence in the vulnerability’s existence and the credibility of the available technical information; it does not describe the probability of exploitation.
A confirmed rating means Microsoft has acknowledged the flaw and supplied a security update. Administrators therefore should not interpret the limited public technical detail as uncertainty over whether vulnerable systems are affected. The uncertainty lies in how attackers could operationalize the issue and what useful data can be extracted, not in whether the kernel bug exists.
Microsoft also assigned E:U, or unproven exploit-code maturity, and RL:O, indicating that an official remediation is available. Those temporal factors reduce the score from the 7.5 base rating to 6.5, reflecting the absence of known working exploit code and the availability of patches.
This combination produces a familiar Patch Tuesday profile: a technically significant bug with a confirmed fix, but no current evidence of public exploitation. For IT teams, that supports prompt deployment through the normal accelerated security-update process rather than emergency isolation of every affected host.

Supported Windows Generations Are in Scope​

The CVE record identifies affected builds across current Windows client and server families. These include Windows 10 Version 1809, Windows 10 Version 21H2 and 22H2, Windows 11 Version 24H2, Windows 11 Version 25H2, Windows 11 version 26H1, Windows Server 2019, Windows Server 2022, and Windows Server 2025.
Some of those releases remain available only in particular servicing channels or editions. Windows 10 Version 21H2 and Version 22H2 systems, for example, may depend on Long-Term Servicing Channel or Extended Security Updates eligibility rather than standard consumer support. Administrators should verify that every device is enrolled in an applicable servicing program instead of assuming Windows Update will offer a fix to an unsupported installation.
The patched build thresholds recorded for affected systems include:
  • Windows 10 Version 1809 and Windows Server 2019 move to build 17763.9020.
  • Windows 10 Version 21H2 moves to build 19044.7548.
  • Windows 10 Version 22H2 moves to build 19045.7548.
  • Windows 11 Version 24H2 moves to build 26100.8875.
  • Windows 11 Version 25H2 moves to build 26200.8875.
  • Windows 11 version 26H1 moves to build 28000.2269.
  • Windows Server 2022 moves to build 20348.5386.
For Windows 10 Version 21H2 and 22H2, Microsoft’s July package is KB5099539. Windows Server 2022 receives KB5099540. Organizations should use the Security Update Guide, Windows Update for Business reports, Configuration Manager, Intune, WSUS, or their normal vulnerability-management platform to match each remaining edition with its applicable KB and corrected build.
Build verification is especially important on servers where cumulative updates may show as installed but remain pending a restart. Because Windows cumulative updates replace kernel components, a machine should not be considered remediated until installation has completed successfully and the reported OS build meets or exceeds Microsoft’s fixed threshold.

Network Exposure Raises the Patch Priority​

The AV:N rating is the most consequential element for defenders. It indicates that exploitation can cross a network boundary rather than requiring local code execution or physical access. Microsoft has not identified the specific protocol or service involved, so administrators currently lack a narrow port-based mitigation that can be applied with confidence.
That makes the cumulative update the dependable remedy. Microsoft lists no separate mitigation or workaround for CVE-2026-50463, and speculative firewall changes could disrupt services without blocking the vulnerable path.
Internet-facing Windows Server systems, remotely accessible infrastructure, and endpoints on untrusted or weakly segmented networks deserve the earliest deployment rings. Domain controllers, virtualization hosts, management servers, and other high-value machines should also receive close attention because kernel memory on those systems may contain information with greater value to an attacker.
Security teams should monitor for revisions to the MSRC entry as Microsoft, NIST, or an acknowledged researcher publishes additional details. The advisory was released on July 14, 2026 and remains technically sparse, so detection guidance may emerge after defenders have already begun deploying the update.
For now, the practical response is straightforward: install the July 2026 cumulative security update, complete the required restart, and confirm the corrected build across the fleet. CVE-2026-50463 is confirmed, remotely reachable, and patched—three facts that make waiting for exploit code a poor deployment strategy.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top