CVE-2026-50470: Patch Windows NPS SNMP Flaw by July 14

CVE-2026-50470 exposes Windows Network Policy Server systems to unauthenticated information disclosure through SNMP, with Microsoft rating the vulnerability Important and assigning it a CVSS 3.1 base score of 7.5. Administrators running NPS or related SNMP components should install the July 14, 2026 Windows security updates rather than treating this as a routine low-impact data leak.
Detailed in Microsoft’s Security Update Guide and published as part of July 2026 Patch Tuesday, the vulnerability is an out-of-bounds read tracked as CWE-125. Microsoft says an unauthorized attacker can exploit the flaw over a network without user interaction, potentially reading information that should remain outside the bounds of the data being processed.
The National Vulnerability Database received the Microsoft-issued record on July 14 and lists the attack vector as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation can be performed remotely, requires low attack complexity, needs no existing privileges, and does not depend on a user opening a file or clicking a link.

Cybersecurity server room shows protected infrastructure and a red “out-of-bounds read” CVE-2026-50470 alert.A Read Flaw With a Network-Reachable Attack Path​

An out-of-bounds read occurs when software reads beyond the memory region allocated for the data it is handling. Unlike a write vulnerability, it does not directly allow the attacker to alter memory or execute code, but it can expose process memory containing configuration data, credentials, protocol material, or other information useful for a later attack.
Microsoft has not publicly specified exactly what information CVE-2026-50470 can reveal. The CVSS vector nevertheless rates the confidentiality impact as high while assigning no direct integrity or availability impact. That makes the flaw more serious than an error that leaks only a few harmless bytes or causes a diagnostic response.
The SNMP element also matters. Simple Network Management Protocol remains common in monitoring and infrastructure-management environments, particularly where Windows servers report health and operational data to centralized tools. Those systems may sit on highly trusted management networks where information gathered from one server can help an intruder map services, identify software, or prepare a more targeted second-stage attack.
The published vector does not require authentication. An attacker still needs network access to the vulnerable service, but that can include an already-compromised workstation, a foothold in a server VLAN, an improperly segmented monitoring network, or an SNMP endpoint unintentionally exposed beyond its intended administrative boundary.
Microsoft classifies exploitation as less likely, and the Zero Day Initiative’s July security review lists CVE-2026-50470 as neither publicly disclosed nor exploited in the wild at release time. That lowers immediate emergency pressure, but it does not remove the exposure created by a low-complexity, network-reachable flaw.

The Affected List Extends Beyond Current Server Releases​

Microsoft’s affected-product data spans multiple Windows generations. The CVE record includes Windows Server editions as well as Windows client releases because the vulnerable Windows components can exist across the shared operating-system codebase, even though Network Policy Server is primarily deployed as a server role.
Affected releases listed in the public record include Windows Server 2012, Server 2016, Server 2019, Server 2022, and Server 2025, including applicable Server Core installations. The record also names Windows 10 Version 1607, Version 1809, Version 21H2, and Version 22H2, along with Windows 11 Versions 24H2, 25H2, and 26H1.
That does not mean every Windows PC is actively reachable through this flaw. Exposure depends on the affected component being present and on an attacker being able to communicate with the relevant SNMP service. Administrators should therefore distinguish between software inventory and actual attack surface rather than concluding that every endpoint has the same risk.
The July updates associated with affected server platforms include KB5099535 for Windows Server 2016, KB5099538 for Windows Server 2019, KB5099540 for Windows Server 2022, and KB5099536 for Windows Server 2025. Windows 11 Version 24H2 and 25H2 receive the relevant fixes through KB5101650, while the Windows 11 26H1 servicing path includes KB5101649 on applicable systems.
Older platforms use their corresponding July security update or monthly rollup. Organizations purchasing Extended Security Updates for legacy Windows releases should verify that the appropriate ESU package was detected, approved, and installed instead of assuming a successful scan of newer servers covers the entire NPS estate.
A restart is required for the security updates identified in Microsoft’s affected-software tables. That may complicate deployment on NPS servers handling RADIUS authentication for wireless access, VPN connections, 802.1X network access, or other business-critical authentication flows.

Confidence Is High, but Technical Detail Is Still Limited​

The vulnerability record’s confidence information should not be confused with exploitability or severity. Confidence measures whether the weakness and its technical characterization are considered credible, not whether exploitation is happening or whether every exposed machine will surrender sensitive data.
For CVE-2026-50470, Microsoft is the assigning authority and has shipped a security fix, while the CVSS temporal information identifies the report confidence as confirmed. The existence of the flaw is therefore not speculative. The uncertainty lies in the limited public explanation of the triggering input, the affected SNMP operation, and the precise contents of memory that can be disclosed.
That distinction is important for defenders. A confirmed vendor vulnerability with no public proof of concept can still become easier to exploit after researchers compare patched and unpatched Windows binaries. Patch-diffing may reveal the corrected bounds check or parsing routine even if Microsoft never publishes packet-level exploitation details.
The presence of a second July vulnerability, CVE-2026-50496, carrying the same Windows Network Policy Server SNMP information-disclosure title and a 7.5 rating also deserves attention. Administrators should deploy the cumulative operating-system updates rather than attempting to isolate a single file fix for CVE-2026-50470; the monthly packages address both NPS SNMP issues alongside the rest of the platform’s security corrections.

Patch NPS, Then Check Who Can Reach SNMP​

The primary remediation is to install the July 14, 2026 Windows security update for each affected release. Where immediate deployment is blocked by change-control requirements, administrators should reduce exposure by restricting SNMP traffic to explicitly authorized management systems and preventing access from user, guest, wireless, and internet-facing network segments.
Firewall rules should be checked on the host and at network boundaries. SNMP commonly uses UDP port 161 for queries and UDP port 162 for traps, although custom deployments may differ. A broad allow rule from an entire corporate subnet is less protective than an allowlist limited to known monitoring servers.
Teams should also verify whether the Windows SNMP service or associated NPS monitoring functionality is actually required. Disabling an unnecessary service removes an attack path, but doing so without testing can break infrastructure monitoring, alerting, or legacy management integrations. Any temporary change should therefore be validated against the organization’s network-management platform.
After deployment, administrators should confirm the installed KB and operating-system build rather than relying only on an update-management status of “completed.” NPS nodes are often redundant, and it is easy for one secondary authentication server, disaster-recovery instance, or Server Core deployment to miss a maintenance window while the main nodes are updated.
CVE-2026-50470 is not reported as a zero-day and does not provide code execution by itself. Its significance comes from the combination of unauthenticated network access, low attack complexity, and potentially high-value disclosure from servers positioned close to authentication and network-control infrastructure. The concrete next step is to patch every NPS node, restart it, verify RADIUS and SNMP operation, and narrow management-network access before public technical analysis makes the flaw easier to reproduce.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: tomshardware.com
 

Back
Top