Microsoft has patched CVE-2026-50490, a Windows Installer use-after-free vulnerability that can let a locally authenticated attacker elevate privileges. The flaw carries a CVSS 3.1 score of 7.0, rated High, and affects Windows 10, Windows 11, and Windows Server releases stretching from Server 2012 through Server 2025.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is part of Microsoft’s July security-update cycle. The National Vulnerability Database describes it as a use-after-free error in Windows Installer and identifies the underlying weakness as CWE-416.
Administrators should deploy the July 2026 Windows security updates rather than treating this as an Internet-facing emergency. CVE-2026-50490 requires local access and existing low-level privileges, but successful exploitation could give an attacker full control over confidentiality, integrity, and availability on the affected machine.
Microsoft’s CVSS vector is
Exploitation also carries high attack complexity, meaning success depends on conditions beyond simply launching a malicious installer. No user interaction is required once those conditions have been established, however, and the vulnerability remains significant because a successful attack can compromise all three principal security properties of the system.
The vulnerability’s scope is unchanged, so exploitation does not cross into a separate security authority. That distinction matters to vulnerability scoring, but it does not make the outcome harmless: an attacker who elevates from a restricted account to administrative or SYSTEM-equivalent access can disable security controls, access protected data, create persistent accounts, and tamper with the operating system.
CISA’s Stakeholder-Specific Vulnerability Categorization assessment lists exploitation as “none” and says the attack is not automatable. Its assessment nevertheless assigns the issue total technical impact, reflecting the potential consequences after successful privilege escalation.
As of July 15, neither Microsoft’s published record nor the NVD entry indicates known exploitation in the wild. The issue is therefore not presented as a zero-day under active attack, and there is no evidence in the public record that working exploit code was available before Microsoft released its fixes.
A use-after-free vulnerability occurs when software continues to access memory after the associated object has been released. If an attacker can influence how that memory is reused, the stale reference may lead to corruption or attacker-controlled behavior. Microsoft has not publicly documented the precise object, call sequence, or installer operation involved in CVE-2026-50490.
The high-complexity rating suggests exploitation is likely to require careful timing, memory manipulation, or another specific runtime condition. That is a meaningful barrier to opportunistic abuse, but local elevation flaws are commonly used as the second stage of a larger intrusion: phishing, a browser flaw, a malicious document, or stolen credentials may provide initial execution, while the elevation vulnerability removes the restrictions attached to that foothold.
This is why endpoint exposure cannot be judged solely from the “local” attack vector. A standard-user account is an important containment boundary. CVE-2026-50490 potentially gives an attacker already inside that boundary a route toward system-level control.
The server list is similarly broad. Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025 are included, with Server Core installations explicitly identified where applicable.
Microsoft’s fixed-version thresholds include:
Windows Server 2012 and Server 2012 R2 require particular attention because regular extended support ended in October 2023. Systems covered by Microsoft’s Extended Security Updates program can receive applicable fixes, but unsupported installations outside that arrangement should not be considered protected merely because Microsoft lists the product family.
Endpoint-management reports should be checked against the corrected operating-system builds, particularly where update dashboards report installation success without confirming the final revision number. Mixed environments may require separate baselines for Windows 11 24H2, 25H2, and 26H1, while Server 2025 uses a much higher revision number than the corresponding Windows 11 branch despite sharing the 26100 base build.
Organizations unable to patch immediately should reduce the paths through which untrusted users or code can reach affected systems. That includes limiting interactive logons to servers, controlling MSI execution where operationally practical, blocking unauthorized software deployment, and monitoring installer-related activity from unexpected accounts or directories.
Those measures are containment rather than a substitute for Microsoft’s update. Windows Installer remains available to legitimate management systems and applications, and disabling it indiscriminately can break software deployment, repair operations, and line-of-business maintenance.
The supplied description of a “confidence” metric is generic scoring guidance, not evidence that CVE-2026-50490 is uncertain or unconfirmed. Microsoft is the assigning CVE authority, identifies the root cause as a use-after-free condition, supplies affected-version boundaries, and has released corrected builds. What remains undisclosed is the detailed exploitation method—not whether the vulnerability exists.
CVE-2026-50490 does not currently carry the urgency of a remotely exploitable or actively abused flaw, but its broad Windows footprint makes it relevant to nearly every managed estate. The practical milestone is straightforward: devices should move to the July 2026 security-update builds or later, with unsupported Windows installations treated as an exposure that patch reporting alone cannot resolve.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is part of Microsoft’s July security-update cycle. The National Vulnerability Database describes it as a use-after-free error in Windows Installer and identifies the underlying weakness as CWE-416.
Administrators should deploy the July 2026 Windows security updates rather than treating this as an Internet-facing emergency. CVE-2026-50490 requires local access and existing low-level privileges, but successful exploitation could give an attacker full control over confidentiality, integrity, and availability on the affected machine.
Local Access Limits the Entry Point, Not the Damage
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, an attacker cannot trigger the flaw directly across the network. The attacker must already be able to execute code or otherwise operate through an authorized local account.Exploitation also carries high attack complexity, meaning success depends on conditions beyond simply launching a malicious installer. No user interaction is required once those conditions have been established, however, and the vulnerability remains significant because a successful attack can compromise all three principal security properties of the system.
The vulnerability’s scope is unchanged, so exploitation does not cross into a separate security authority. That distinction matters to vulnerability scoring, but it does not make the outcome harmless: an attacker who elevates from a restricted account to administrative or SYSTEM-equivalent access can disable security controls, access protected data, create persistent accounts, and tamper with the operating system.
CISA’s Stakeholder-Specific Vulnerability Categorization assessment lists exploitation as “none” and says the attack is not automatable. Its assessment nevertheless assigns the issue total technical impact, reflecting the potential consequences after successful privilege escalation.
As of July 15, neither Microsoft’s published record nor the NVD entry indicates known exploitation in the wild. The issue is therefore not presented as a zero-day under active attack, and there is no evidence in the public record that working exploit code was available before Microsoft released its fixes.
Windows Installer Remains a Valuable Escalation Target
Windows Installer is the operating system service behind MSI-based software installation, repair, modification, and removal. Those operations frequently need elevated access to protected directories, services, registry locations, and other system-wide resources, making the component an attractive boundary for privilege-escalation research.A use-after-free vulnerability occurs when software continues to access memory after the associated object has been released. If an attacker can influence how that memory is reused, the stale reference may lead to corruption or attacker-controlled behavior. Microsoft has not publicly documented the precise object, call sequence, or installer operation involved in CVE-2026-50490.
The high-complexity rating suggests exploitation is likely to require careful timing, memory manipulation, or another specific runtime condition. That is a meaningful barrier to opportunistic abuse, but local elevation flaws are commonly used as the second stage of a larger intrusion: phishing, a browser flaw, a malicious document, or stolen credentials may provide initial execution, while the elevation vulnerability removes the restrictions attached to that foothold.
This is why endpoint exposure cannot be judged solely from the “local” attack vector. A standard-user account is an important containment boundary. CVE-2026-50490 potentially gives an attacker already inside that boundary a route toward system-level control.
The Affected Range Reaches Across Client and Server Fleets
Microsoft’s CVE record covers multiple Windows generations and processor architectures. The affected client releases include Windows 10 Version 1607, 1809, 21H2, and 22H2, along with Windows 11 Versions 24H2, 25H2, and 26H1.The server list is similarly broad. Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025 are included, with Server Core installations explicitly identified where applicable.
Microsoft’s fixed-version thresholds include:
- Windows 11 Versions 24H2 and 25H2 are affected below builds 26100.8875 and 26200.8875, respectively.
- Windows 11 Version 26H1 is affected below build 28000.2269.
- Windows 10 Versions 21H2 and 22H2 are affected below builds 19044.7548 and 19045.7548.
- Windows Server 2022 is affected below build 20348.5386.
- Windows Server 2025 is affected below build 26100.33158.
- Windows Server 2016 and Windows 10 Version 1607 are affected below build 14393.9339.
- Windows Server 2019 and Windows 10 Version 1809 are affected below build 17763.9020.
Windows Server 2012 and Server 2012 R2 require particular attention because regular extended support ended in October 2023. Systems covered by Microsoft’s Extended Security Updates program can receive applicable fixes, but unsupported installations outside that arrangement should not be considered protected merely because Microsoft lists the product family.
Patch Verification Matters More Than the CVSS Number
The immediate defensive action is to install the July 2026 cumulative security update applicable to each Windows release. Because Windows cumulative updates supersede earlier fixes, administrators should generally target the current cumulative package rather than search for a separate Windows Installer download.Endpoint-management reports should be checked against the corrected operating-system builds, particularly where update dashboards report installation success without confirming the final revision number. Mixed environments may require separate baselines for Windows 11 24H2, 25H2, and 26H1, while Server 2025 uses a much higher revision number than the corresponding Windows 11 branch despite sharing the 26100 base build.
Organizations unable to patch immediately should reduce the paths through which untrusted users or code can reach affected systems. That includes limiting interactive logons to servers, controlling MSI execution where operationally practical, blocking unauthorized software deployment, and monitoring installer-related activity from unexpected accounts or directories.
Those measures are containment rather than a substitute for Microsoft’s update. Windows Installer remains available to legitimate management systems and applications, and disabling it indiscriminately can break software deployment, repair operations, and line-of-business maintenance.
The supplied description of a “confidence” metric is generic scoring guidance, not evidence that CVE-2026-50490 is uncertain or unconfirmed. Microsoft is the assigning CVE authority, identifies the root cause as a use-after-free condition, supplies affected-version boundaries, and has released corrected builds. What remains undisclosed is the detailed exploitation method—not whether the vulnerability exists.
CVE-2026-50490 does not currently carry the urgency of a remotely exploitable or actively abused flaw, but its broad Windows footprint makes it relevant to nearly every managed estate. The practical milestone is straightforward: devices should move to the July 2026 security-update builds or later, with unsupported Windows installations treated as an exposure that patch reporting alone cannot resolve.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org