CVE-2026-50477: KB5101650 Fixes Windows Kernel Privilege Escalation

Microsoft has patched CVE-2026-50477, a Windows Kernel elevation-of-privilege vulnerability that can let a local attacker turn limited access into a much deeper system compromise. The fix arrived on July 14, 2026, through the monthly Windows security updates, including KB5101650 for Windows 11 versions 24H2 and 25H2.
Detailed in Microsoft’s Security Update Guide and the National Vulnerability Database, the flaw is a heap-based buffer overflow in the Windows kernel. Microsoft assigns it an 8.8 CVSS score and an Important severity rating, while assessing exploitation as less likely. It was neither publicly disclosed nor known to be exploited when the update was released.
That distinction matters. CVE-2026-50477 is not one of July’s actively exploited zero-days, but its kernel location and potential impact make it more consequential than the word “Important” might suggest.

Cybersecurity illustration showing a shield protecting servers from a heap-based buffer overflow during a Windows update.A Local Foothold Can Become a System-Level Breach​

CVE-2026-50477 requires an attacker to operate locally with existing low-level privileges. It is therefore not a vulnerability that an unauthenticated Internet user can directly exploit against an exposed Windows PC or server.
The CVSS vector shows low attack complexity, low privileges required, and no user interaction. In practical terms, an attacker who has already executed code under a restricted account could attempt to trigger the kernel memory error without persuading another user to open a file, visit a website, or approve a prompt.
A successful exploit could affect confidentiality, integrity, and availability at the highest measured levels. The changed-scope component of Microsoft’s CVSS vector also indicates that exploitation can cross an authorization boundary rather than merely damage resources already available to the compromised account.
This makes the vulnerability useful as the second stage of an intrusion. Malware may initially arrive through phishing, a malicious document, a browser flaw, stolen credentials, or an exposed remote-management tool. CVE-2026-50477 could then provide a route out of a restricted user context and toward control over the machine.
Kernel privilege escalation can potentially give an attacker the authority needed to disable security products, access protected data, create persistent services, manipulate other processes, or steal credentials. Microsoft has not published exploit code or a detailed technical walkthrough, so those outcomes describe the general consequence of kernel-level privilege escalation rather than a confirmed CVE-2026-50477 attack chain.

Report Confidence Does Not Measure Active Exploitation​

Microsoft’s advisory describes the vulnerability’s report confidence as confirmed. That metric can be easy to misread, particularly when presented beside exploitability and severity scores.
Confirmed report confidence means the vendor considers the vulnerability and its technical basis credible. It may indicate that detailed reports exist, reproduction is possible, source code permits independent verification, or Microsoft has confirmed the defect through its own investigation.
It does not mean that attackers are exploiting CVE-2026-50477 in the wild. Microsoft’s separate exploitability fields listed the vulnerability as not publicly disclosed and not exploited at publication, with exploitation considered less likely.
The confidence rating nevertheless removes uncertainty over whether the underlying bug is real. Microsoft identifies the weakness as CWE-122, the standard classification for a heap-based buffer overflow. These errors occur when software writes outside the bounds of an allocated region of heap memory, potentially corrupting neighboring data and altering program behavior.
Exploiting memory corruption in the Windows kernel is not automatically straightforward. Modern Windows releases include layers of mitigation intended to make reliable kernel exploitation harder, and attackers still need an initial local foothold. Microsoft’s “Exploitation Less Likely” assessment suggests the company does not expect dependable exploitation soon, based on the conditions and technical characteristics known at release.
It remains a forecast, not a guarantee. Security teams should not treat that label as permission to leave vulnerable systems unpatched indefinitely.

The Affected Range Spans Windows 10 Through Windows 11 26H1​

Microsoft’s affected-product data covers a broad cross-section of supported and extended-support Windows installations. Client systems include Windows 10 versions 1607, 1809, 21H2, and 22H2, along with Windows 11 versions 24H2, 25H2, and 26H1.
The server footprint is similarly wide. Microsoft lists Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025, including applicable Server Core installations.
For mainstream Windows 11 deployments, July’s cumulative update moves version 24H2 to OS build 26100.8875 and version 25H2 to build 26200.8875. Both are delivered through KB5101650. Administrators can verify the installed build with winver, PowerShell inventory, Microsoft Intune, Configuration Manager, or their usual endpoint-management platform.
Microsoft’s vulnerability record identifies the following patched build thresholds:
  • Windows 10 version 1607 and Windows Server 2016 are protected at build 14393.9339 or later.
  • Windows 10 version 1809 and Windows Server 2019 are protected at build 17763.9020 or later.
  • Windows 10 version 21H2 is protected at build 19044.7548 or later.
  • Windows 10 version 22H2 is protected at build 19045.7548 or later.
  • Windows 11 version 24H2 is protected at build 26100.8875 or later.
  • Windows 11 version 25H2 is protected at build 26200.8875 or later.
  • Windows Server 2022 is protected at build 20348.5386 or later.
  • Windows Server 2025 is protected at build 26100.33158 or later.
Windows Server 2012 and 2012 R2 require the applicable Extended Security Updates servicing path. Their presence in the affected list does not restore ordinary support to installations that lack valid ESU coverage.

Deployment Risk Extends Beyond the CVE​

CVE-2026-50477 is bundled into cumulative Windows updates rather than distributed as a small standalone kernel patch. Administrators therefore need to evaluate the entire July package, including its security hardening and known deployment constraints.
Microsoft says KB5101650 may be temporarily unavailable for a limited number of Dell systems with Intel processors. Dell reported an incompatibility that could cause unexpected shutdowns, reduced performance, increased heat, and battery drain. Microsoft and Dell are withholding the update from affected models while they prepare a resolution.
The same Windows 11 update also tightens registration requirements for legacy Transport Driver Interface transports. Applications using sockets over unregistered third-party TDI transports may stop working after installation, while properly registered transports are unaffected. Organizations running older networking, filtering, monitoring, or security software should include those components in pilot testing.
Those compatibility concerns justify staged validation, but not an open-ended delay. July 2026’s release is unusually large: BleepingComputer counted 570 Microsoft vulnerabilities, including two actively exploited zero-days and one publicly disclosed zero-day. CVE-2026-50477 sits inside a broader update cycle in which delaying the cumulative package also delays protection against more immediate threats.
For enterprise fleets, the sensible order is to inventory exposed builds, test the cumulative update against kernel-sensitive security and networking tools, deploy to representative endpoint and server rings, and monitor restart completion. Systems shared by multiple users, virtual desktop hosts, jump boxes, development machines, and servers where lower-privileged accounts can execute code deserve particular attention because they offer plausible starting conditions for a local escalation attempt.
Microsoft has not published a workaround or mitigation that replaces the security update. The concrete boundary is therefore the patched build: devices below it remain exposed, while successfully updated and restarted systems receive the kernel correction alongside the rest of the July 14 security release.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top