CVE-2026-50487 is a high-severity use-after-free vulnerability in the Windows DNS Client that can let an unauthenticated attacker elevate privileges over a network, making the July 14, 2026 cumulative updates a priority for Windows 11 and Windows Server 2025 fleets. Microsoft assigns the flaw a CVSS 3.1 base score of 8.1 and classifies its technical details as confirmed.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database on July 14, the vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1, along with Windows Server 2025 and its Server Core installation option. Microsoft identifies the underlying weakness as CWE-416, or use after free, in the Windows DNS implementation.
The immediate action is straightforward: deploy the applicable July cumulative update and verify the resulting OS build rather than relying only on an update-management console showing the package as assigned.
CVE-2026-50487 resides in the Windows DNS Client, not specifically in the DNS Server role. That distinction matters because ordinary Windows endpoints and member servers routinely process DNS traffic regardless of whether they host a DNS zone or have the Windows DNS Server role installed.
Microsoft’s CVSS vector describes an attack that is reachable over a network, requires no existing privileges, and needs no user interaction. A successful attacker could compromise confidentiality, integrity, and availability, although Microsoft rates the attack complexity as high, indicating that exploitation depends on conditions outside an attacker’s direct control.
The vulnerability’s use-after-free classification points to unsafe handling of memory after an object has already been released. If an attacker can reliably trigger and shape that condition through malicious DNS-related traffic, the resulting memory corruption could provide a path to elevated execution rather than merely crashing the DNS Client service.
That combination makes the flaw more consequential than its “Elevation of Privilege” title might initially suggest. It is network reachable and does not require a user to open a document, visit a page, or approve a prompt, but the high-complexity rating prevents it from receiving the near-maximum score associated with straightforward, repeatable remote compromise.
The National Vulnerability Database also records a CISA Stakeholder-Specific Vulnerability Categorization assessment of “none” for known exploitation as of July 14. That is not a guarantee that exploitation will remain unavailable; it means administrators do not currently have evidence of active attacks from the published record.
Windows 11 version 26H1 receives KB5101649, taking the operating system to build 28000.2525. Microsoft’s affected-version data lists builds earlier than 28000.2269 as vulnerable, but administrators should still deploy the July release rather than treating the June build boundary as a reason to defer the current security update. KB5101649 contains the complete July security set and supersedes previous cumulative servicing levels.
Windows Server 2025 and Windows Server 2025 Server Core receive KB5099536, which advances both installation types to build 26100.33158. Server Core is not insulated by its reduced graphical footprint because the affected DNS Client functionality remains part of the operating system.
The resulting verification targets are:
Because these are cumulative updates, there is no separate CVE-specific package to deploy. Devices receiving the appropriate July 2026 cumulative update also receive the DNS Client correction alongside the month’s other security and quality changes.
Running a trusted internal DNS server does not by itself remove the risk. DNS data can originate outside the organization, pass through recursive resolvers, and reach a Windows client as a response. The exact packet sequence or environmental condition required to exploit CVE-2026-50487 has not been publicly documented in enough detail to support a dependable network-level workaround.
The high attack-complexity score may indicate that exploitation requires precise memory state, timing, traffic sequencing, or another prerequisite. It should not be interpreted as requiring local access or authenticated domain credentials: Microsoft’s vector explicitly records network access, no privileges, and no user interaction.
That leaves patching as the dependable remediation. Blocking arbitrary DNS traffic at the perimeter remains sound security practice, but forcing clients to use approved resolvers should be viewed as exposure reduction rather than a substitute for installing the corrected Windows components.
Administrators should also resist disabling the DNS Client service as an emergency response without extensive testing. Windows name resolution is intertwined with domain operations, application discovery, proxy behavior, network shares, and numerous management workflows. A broad service-level workaround could cause more immediate disruption while still failing to address every relevant code path.
Windows Server 2025 deserves particular attention because DNS activity is continuous on domain-joined servers, even when those machines are not domain controllers or DNS servers. Internet-facing workloads, remote-access infrastructure, jump hosts, and systems connected to less-trusted network segments are sensible candidates for an accelerated deployment ring.
Microsoft says it is not currently aware of issues with the Windows 11 26H1 July update. The Windows Server 2025 release does retain a previously documented WSUS reporting limitation in which synchronization error details are unavailable after certain updates, but that does not negate the security need to install KB5099536.
Organizations managing Windows 11 24H2 or 25H2 should additionally note that KB5101650 may be withheld from a limited number of Dell devices using Intel processors because of a reported compatibility problem involving unexpected shutdowns, performance degradation, increased heat, and battery drain. Those machines require separate tracking: an update safeguard can prevent installation, but it does not make the underlying DNS vulnerability disappear.
For systems held behind that safeguard, administrators should monitor Microsoft and Dell guidance, reduce untrusted network exposure where practical, and install the corrected release as soon as the compatibility block is resolved. Manually bypassing a safeguard hold is risky when the documented failure modes include shutdown and thermal or power-related problems.
CVE-2026-50487 is not reported as actively exploited, but its unauthenticated network path and potential for elevated execution make it unsuitable for a routine end-of-month queue. The practical milestone is not merely approving July’s packages; it is confirming that vulnerable Windows 11 and Windows Server 2025 systems have reached their corrected builds, with separately tracked exceptions for devices that cannot yet receive them.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database on July 14, the vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1, along with Windows Server 2025 and its Server Core installation option. Microsoft identifies the underlying weakness as CWE-416, or use after free, in the Windows DNS implementation.
The immediate action is straightforward: deploy the applicable July cumulative update and verify the resulting OS build rather than relying only on an update-management console showing the package as assigned.
A DNS Client Bug With a Network Attack Path
CVE-2026-50487 resides in the Windows DNS Client, not specifically in the DNS Server role. That distinction matters because ordinary Windows endpoints and member servers routinely process DNS traffic regardless of whether they host a DNS zone or have the Windows DNS Server role installed.Microsoft’s CVSS vector describes an attack that is reachable over a network, requires no existing privileges, and needs no user interaction. A successful attacker could compromise confidentiality, integrity, and availability, although Microsoft rates the attack complexity as high, indicating that exploitation depends on conditions outside an attacker’s direct control.
The vulnerability’s use-after-free classification points to unsafe handling of memory after an object has already been released. If an attacker can reliably trigger and shape that condition through malicious DNS-related traffic, the resulting memory corruption could provide a path to elevated execution rather than merely crashing the DNS Client service.
That combination makes the flaw more consequential than its “Elevation of Privilege” title might initially suggest. It is network reachable and does not require a user to open a document, visit a page, or approve a prompt, but the high-complexity rating prevents it from receiving the near-maximum score associated with straightforward, repeatable remote compromise.
The National Vulnerability Database also records a CISA Stakeholder-Specific Vulnerability Categorization assessment of “none” for known exploitation as of July 14. That is not a guarantee that exploitation will remain unavailable; it means administrators do not currently have evidence of active attacks from the published record.
July Builds Establish the Practical Compliance Line
For Windows 11 versions 24H2 and 25H2, Microsoft delivers the correction through KB5101650. The cumulative update advances Windows 11 24H2 to build 26100.8875 and Windows 11 25H2 to build 26200.8875.Windows 11 version 26H1 receives KB5101649, taking the operating system to build 28000.2525. Microsoft’s affected-version data lists builds earlier than 28000.2269 as vulnerable, but administrators should still deploy the July release rather than treating the June build boundary as a reason to defer the current security update. KB5101649 contains the complete July security set and supersedes previous cumulative servicing levels.
Windows Server 2025 and Windows Server 2025 Server Core receive KB5099536, which advances both installation types to build 26100.33158. Server Core is not insulated by its reduced graphical footprint because the affected DNS Client functionality remains part of the operating system.
The resulting verification targets are:
- Windows 11 24H2 should report build 26100.8875 after KB5101650.
- Windows 11 25H2 should report build 26200.8875 after KB5101650.
- Windows 11 26H1 should report build 28000.2525 after KB5101649.
- Windows Server 2025 should report build 26100.33158 after KB5099536.
Because these are cumulative updates, there is no separate CVE-specific package to deploy. Devices receiving the appropriate July 2026 cumulative update also receive the DNS Client correction alongside the month’s other security and quality changes.
Exposure Extends Beyond Traditional DNS Servers
The placement of the flaw in the DNS Client broadens the patching scope. Workstations, laptops, application servers, management systems, virtual machines, and Server Core hosts all resolve names, often using responses forwarded through internal resolvers, VPN infrastructure, security appliances, or cloud networking services.Running a trusted internal DNS server does not by itself remove the risk. DNS data can originate outside the organization, pass through recursive resolvers, and reach a Windows client as a response. The exact packet sequence or environmental condition required to exploit CVE-2026-50487 has not been publicly documented in enough detail to support a dependable network-level workaround.
The high attack-complexity score may indicate that exploitation requires precise memory state, timing, traffic sequencing, or another prerequisite. It should not be interpreted as requiring local access or authenticated domain credentials: Microsoft’s vector explicitly records network access, no privileges, and no user interaction.
That leaves patching as the dependable remediation. Blocking arbitrary DNS traffic at the perimeter remains sound security practice, but forcing clients to use approved resolvers should be viewed as exposure reduction rather than a substitute for installing the corrected Windows components.
Administrators should also resist disabling the DNS Client service as an emergency response without extensive testing. Windows name resolution is intertwined with domain operations, application discovery, proxy behavior, network shares, and numerous management workflows. A broad service-level workaround could cause more immediate disruption while still failing to address every relevant code path.
Rollout Checks Matter as Much as Approval
Enterprise teams should first identify vulnerable builds through endpoint management, configuration management databases, or direct OS inventory. Checkingwinver, Get-ComputerInfo, or the registry’s current build and update-build-revision values can confirm the actual servicing state when Windows Update for Business, Microsoft Intune, Configuration Manager, or WSUS reporting is delayed.Windows Server 2025 deserves particular attention because DNS activity is continuous on domain-joined servers, even when those machines are not domain controllers or DNS servers. Internet-facing workloads, remote-access infrastructure, jump hosts, and systems connected to less-trusted network segments are sensible candidates for an accelerated deployment ring.
Microsoft says it is not currently aware of issues with the Windows 11 26H1 July update. The Windows Server 2025 release does retain a previously documented WSUS reporting limitation in which synchronization error details are unavailable after certain updates, but that does not negate the security need to install KB5099536.
Organizations managing Windows 11 24H2 or 25H2 should additionally note that KB5101650 may be withheld from a limited number of Dell devices using Intel processors because of a reported compatibility problem involving unexpected shutdowns, performance degradation, increased heat, and battery drain. Those machines require separate tracking: an update safeguard can prevent installation, but it does not make the underlying DNS vulnerability disappear.
For systems held behind that safeguard, administrators should monitor Microsoft and Dell guidance, reduce untrusted network exposure where practical, and install the corrected release as soon as the compatibility block is resolved. Manually bypassing a safeguard hold is risky when the documented failure modes include shutdown and thermal or power-related problems.
CVE-2026-50487 is not reported as actively exploited, but its unauthenticated network path and potential for elevated execution make it unsuitable for a routine end-of-month queue. The practical milestone is not merely approving July’s packages; it is confirming that vulnerable Windows 11 and Windows Server 2025 systems have reached their corrected builds, with separately tracked exceptions for devices that cannot yet receive them.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com