CVE-2026-50655: Install July Updates to Fix Windows Media RCE

CVE-2026-50655, a Windows Media Foundation remote code execution vulnerability fixed in Microsoft’s July 14, 2026 security updates, can let an unauthenticated attacker run code after a user interacts with malicious media content. The flaw carries a CVSS 3.1 score of 7.8 and affects supported Windows 10, Windows 11, and Windows Server releases.
Microsoft confirmed the vulnerability through the Microsoft Security Response Center’s Security Update Guide. The National Vulnerability Database, which was still awaiting its own enrichment assessment on July 15, describes the underlying weakness as a heap-based buffer overflow in Windows Media and identifies it as CWE-122.
Administrators should deploy the July cumulative updates rather than wait for fuller technical disclosure. No exploitation had been identified in CISA’s initial assessment, but a flaw that combines low attack complexity, no required privileges, and complete confidentiality, integrity, and availability impact deserves prompt treatment.

Futuristic cybersecurity dashboard showing media protection, data processing, servers, alerts, and a security analyst.The “Remote” Label Comes With an Important Qualification​

Despite the advisory’s remote code execution title, Microsoft assigned CVE-2026-50655 a local attack vector in its CVSS calculation. The vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, producing the High-severity score of 7.8.
That distinction matters. The available data does not describe a wormable service vulnerability that an attacker can exploit simply by reaching an exposed Windows port. Instead, exploitation requires user interaction and takes place through locally processed content, a pattern commonly associated with a victim opening or otherwise causing Windows to parse a crafted file.
Microsoft has not publicly identified the specific media format, application, codec, or delivery mechanism involved. The advisory also does not say whether previewing content in File Explorer, processing a browser download, indexing a media library, or opening a file in a particular application is sufficient to reach the vulnerable code.
The practical risk is therefore content-driven rather than service-driven. An attacker could potentially distribute a malicious media file through email, messaging services, collaboration platforms, compromised websites, shared folders, or removable storage, but the precise trigger remains undocumented.
The CVSS metrics establish several useful boundaries:
  • Exploitation requires no existing account or Windows privileges.
  • Attack complexity is rated low, indicating that Microsoft does not expect unusual environmental conditions to be necessary.
  • User interaction is required, so an attacker cannot complete the attack without persuading a target or placing content into a workflow that processes it.
  • Successful exploitation could have a high impact on data confidentiality, system integrity, and availability.
  • The scope remains unchanged, meaning the resulting code executes within the security authority of the vulnerable component or process rather than automatically crossing a separate security boundary.
For a standard desktop user, that could mean code execution with the user’s permissions. If malicious content is processed by an elevated application, privileged service, administrative session, or media-processing workload with broad access, the consequence could be substantially worse.

July Updates Draw the Patch Boundary​

CVE-2026-50655 affects a wide range of Windows generations, including systems that remain in service because of Long-Term Servicing Channel deployments or Extended Security Updates. Microsoft’s affected-product data lists Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 24H2, 25H2, and 26H1; and Windows Server 2016, 2019, 2022, and 2025.
The fixed build numbers provide administrators with a straightforward compliance check. Systems below the following levels remain within Microsoft’s affected ranges:
  • Windows 10 version 1607 and Windows Server 2016 must reach build 14393.9339.
  • Windows 10 version 1809 and Windows Server 2019 must reach build 17763.9020.
  • Windows 10 versions 21H2 and 22H2 must reach builds 19044.7548 and 19045.7548 respectively.
  • Windows Server 2022 must reach build 20348.5386.
  • Windows 11 versions 24H2 and 25H2 must reach builds 26100.8875 and 26200.8875 respectively.
  • Windows 11 version 26H1 must reach build 28000.2525.
  • Windows Server 2025 must reach build 26100.33158.
For mainstream Windows 11 24H2 and 25H2 installations, the fix arrives in KB5101650, which advances those systems to OS builds 26100.8875 and 26200.8875. Microsoft says the cumulative update is available through Windows Update, Windows Update for Business, the Microsoft Update Catalog, and Windows Server Update Services.
Windows 10 version 21H2 and 22H2 receive the correction through KB5099539, moving devices to builds 19044.7548 and 19045.7548. These releases now require particular attention to servicing eligibility: ordinary Windows 10 version 22H2 support ended on October 14, 2025, so consumer and business devices generally need Extended Security Updates unless they run a still-supported LTSC edition.
Windows Server 2022 receives KB5099540, raising the OS build to 20348.5386. Microsoft’s update notes also document a possible one-time BitLocker recovery prompt on a limited set of managed systems using an unrecommended PCR7 Group Policy configuration, giving server teams another reason to validate the cumulative update in a representative deployment ring before broad rollout.
Server Core is not an escape route. Microsoft explicitly lists Server Core installations of Windows Server 2016, Windows Server 2019, and Windows Server 2025 among the affected products, demonstrating that the vulnerable media functionality can remain present even where the full desktop experience is absent.

Media Processing Expands the Enterprise Exposure​

Windows Media Foundation is infrastructure, not merely a user-facing media player. Applications can rely on its codecs, transforms, capture interfaces, protected media support, and playback pipeline without presenting themselves as traditional video or audio software.
That widens the inventory problem for enterprise IT. A workstation user opening an unexpected attachment is the obvious scenario, but media parsing can also appear in document-management systems, video-surveillance clients, conferencing applications, asset-management tools, thumbnail generators, transcoding jobs, and line-of-business software.
Administrators should not assume that removing a default media player eliminates exposure. The affected code belongs to Windows, and Microsoft’s product list spans client and server editions rather than naming a removable Store application as the vulnerable product.
Where patching must be delayed, organizations should reduce opportunities for untrusted media to reach sensitive systems. Mail gateways, web filters, endpoint detection controls, application allow-listing, attachment policies, and least-privilege user accounts can reduce risk, although none replaces the operating-system update.
Security teams should also watch for child processes or unusual network activity launched by applications that ordinarily consume media. Because Microsoft has not disclosed the affected file type or process path, narrowly searching for one extension or one executable would provide false confidence.

Confirmed Vulnerability, Limited Exploit Detail​

The available evidence supports high confidence that CVE-2026-50655 exists: Microsoft acknowledged the vulnerability, classified the heap-based buffer overflow, assigned the CVSS vector, identified affected builds, and shipped corrected cumulative updates. That is materially different from an uncorroborated vulnerability report based only on suspected behavior.
Confidence in the vulnerability’s existence should not be confused with completeness of the public technical record. Microsoft has not published proof-of-concept code, a root-cause analysis, a malicious-file example, or detailed exploit conditions. NVD had also not completed an independent scoring assessment as of July 15.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation and characterized the attack as not readily automatable, while recognizing the potential for total technical impact. Those findings lower the immediate alarm compared with an actively exploited zero-day, but they do not make the update optional.
The most useful administrative test is the OS build, not whether Windows Update reports that it checked recently. Devices should be verified against the corrected build for their exact Windows release, with particular scrutiny given to Windows 10 ESU fleets, disconnected servers, golden images, virtual desktop templates, and systems that process media from external or semi-trusted sources.
CVE-2026-50655 currently sits in the uncomfortable middle ground between a conventional Patch Tuesday flaw and a potentially valuable content-based attack primitive: Microsoft has shipped the fix and confirmed severe consequences, but defenders still do not know exactly which media workflow triggers it. Until that detail emerges, reaching the July 14 build baseline is the only dependable way to close the vulnerability.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
 

Back
Top