CVE-2026-50496: Patch Windows NPS SNMP Flaw in July 14 Updates

CVE-2026-50496 exposes Windows Network Policy Server SNMP to a remotely reachable out-of-bounds read, allowing an unauthenticated attacker to obtain information over the network. Microsoft classified the flaw as Important and released fixes with its July 14, 2026 security updates, making patching a priority for servers that run Network Policy Server or expose SNMP services.
Detailed in Microsoft’s Security Update Guide and added to the National Vulnerability Database on July 14, the vulnerability carries a CVSS 3.1 base score of 7.5. It requires no privileges or user interaction, and Microsoft’s assessment gives it low attack complexity.
The practical risk is concentrated in Windows infrastructure that combines Network Policy Server functionality with reachable SNMP processing. Administrators should identify those systems first, restrict unnecessary SNMP access, and install the applicable July cumulative update rather than treating the CVE as an ordinary desktop information leak.

Cybersecurity illustration showing SNMP traffic, a protected server, firewall, monitoring dashboards, and locked network connections.A Network Request Can Reach Beyond Its Buffer​

Microsoft describes CVE-2026-50496 as an out-of-bounds read in Windows Network Policy Server SNMP. This class of memory-safety error occurs when software reads data beyond the intended boundary of a buffer, potentially returning adjacent memory contents or destabilizing the affected process.
The weakness is categorized as CWE-125. In this case, Microsoft says an unauthorized attacker can trigger the problem over a network, without first obtaining an account on the target or convincing a user to open a file.
That combination is the reason administrators should not dismiss the Important rating. The attack vector is network-based, attack complexity is low, privileges are not required, and user interaction is unnecessary. Exposure therefore depends primarily on whether the vulnerable functionality is installed, active, and reachable from a network an attacker can access.
Network Policy Server, or NPS, is Microsoft’s implementation of a RADIUS server and proxy. It is commonly used to centralize authentication, authorization, and accounting for VPN connections, wireless access, switches, and other network access infrastructure. A compromised or unstable NPS deployment can consequently affect more than a single Windows host, even when the vulnerability itself does not provide remote code execution.
SNMP adds another operational concern because older deployments are frequently configured for monitoring by network-management systems, sometimes using broadly permitted source ranges. An NPS server that only accepts management traffic from a tightly controlled monitoring subnet presents a different risk from one whose SNMP endpoint is reachable across user VLANs, partner networks, or the public internet.

Microsoft’s Score Contains a Metadata Conflict​

The public CVE description and title identify information disclosure as the impact, but the initial CVSS 3.1 vector recorded by Microsoft is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. That vector assigns no confidentiality impact and instead records a high availability impact.
This is a notable inconsistency. An out-of-bounds read may cause both unintended disclosure and a process failure, but the published title, description, and vector do not currently describe those consequences in the same way. The National Vulnerability Database was still awaiting its own enrichment when the record appeared, so its entry largely reflected Microsoft’s submitted data.
Administrators should avoid drawing an overly precise conclusion from that discrepancy. The defensible reading is that malformed network input can cause unsafe memory access in the NPS SNMP component, with Microsoft labeling the issue as information disclosure while its initial score indicates potentially serious service disruption.
The score of 7.5 remains consistent with a remotely triggerable flaw requiring neither authentication nor user action. Whether the dominant real-world outcome is leaked memory, an unavailable service, or both may become clearer if Microsoft revises the advisory or researchers publish a technical analysis.
The report-confidence text included in Microsoft’s scoring interface also should not be mistaken for a vulnerability-specific technical explanation. It defines how CVSS temporal scoring evaluates confidence in a report. A confirmed rating means the vendor or sufficiently detailed evidence has established that the vulnerability exists; it does not mean exploit code is public or attacks have been observed.

The Affected Range Extends Across Windows Generations​

The CVE record lists affected builds across supported Windows client and server generations, including Windows 10, Windows 11, Windows Server 2012 and 2012 R2 under extended servicing arrangements, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations are also represented for several Windows Server releases.
Among the patched build thresholds published with the CVE data are Windows Server 2022 build 20348.5386 and Windows Server 2025 build 26100.33158. Windows Server 2022 receives that build through KB5099540, the July 14 cumulative update.
Windows 11 24H2 systems are listed as affected below build 26100.8875, while Windows 11 25H2 systems are listed below build 26200.8875. The CVE data also includes Windows 10 22H2 below build 19045.7548 and older Windows releases still receiving applicable security servicing.
The appearance of client editions does not mean every Windows laptop is operating as an exposed NPS or SNMP endpoint. Microsoft security updates commonly list every operating-system package containing an affected shared component, even when exploitation depends on an optional role, service, or configuration. Asset inventories should therefore distinguish between machines that merely contain the vulnerable code and systems where the relevant functionality is enabled and reachable.
That distinction is useful for prioritization, but not as a reason to skip normal cumulative updates. Windows cumulative servicing rolls the correction into the monthly package, and systems that later enable an affected feature could become exposed if their patch level remains behind.

Patch the Authentication Infrastructure First​

The immediate action is to deploy the July 14, 2026 cumulative updates to NPS servers and Windows hosts running SNMP-related components. Administrators should verify the resulting OS build rather than relying solely on a management console’s successful-installation status, particularly after maintenance windows involving clustered or redundant authentication services.
Before rollout, infrastructure teams should map which NPS instances support wireless authentication, VPN gateways, network access control, or switch administration. A staged deployment is still appropriate, but the network-access role of these servers means testing should include RADIUS authentication, accounting, health monitoring, failover behavior, and SNMP polling after the reboot.
Where patching cannot occur immediately, network controls provide the most direct temporary reduction in exposure. SNMP traffic should be limited to authorized monitoring systems, blocked at untrusted boundaries, and removed entirely from hosts that do not require it. Administrators should also confirm that firewall rules have not expanded over time to include whole management VLANs or general-purpose server subnets.
Monitoring teams should review unusual SNMP requests, repeated malformed queries, unexpected NPS service restarts, and gaps in RADIUS availability. An out-of-bounds read may not leave an obvious security event identifying CVE-2026-50496, so correlated network telemetry and service-health records may provide more useful evidence than a single Windows log.
CVE-2026-50496 is not presented as a remote-code-execution flaw, but its unauthenticated network path places it on infrastructure that many organizations depend on for access decisions. The July update closes that path; the remaining task is ensuring the NPS and SNMP systems most capable of affecting network authentication reach the patched builds first.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: security.business.xerox.com
  3. Related coverage: tomshardware.com
 

Back
Top