CVE-2026-50663 Fix: Update Age of Empires II to 101.103.46651.0

Microsoft has fixed CVE-2026-50663, an 8.8-rated remote code execution vulnerability in Age of Empires II: Definitive Edition. Players running a version earlier than 101.103.46651.0 should update the game before opening content or joining sessions from untrusted sources.
Published on July 14, 2026, the Microsoft Security Response Center advisory identifies the underlying weakness as relative path traversal, tracked as CWE-23. Microsoft says an unauthorized attacker could exploit it over a network to execute code, potentially compromising the confidentiality, integrity, and availability of the affected Windows account.
The vulnerability is serious, but it is not described as a zero-click attack. Microsoft’s CVSS assessment says exploitation requires user interaction, while requiring no prior privileges and presenting low attack complexity. The company has not disclosed the precise game feature, file format, or network workflow through which malicious input reaches the vulnerable path-handling code.

A gaming PC shows a medieval battlefield alongside glowing security, file-transfer, and update symbols.Version 101.103.46651.0 Draws the Security Boundary​

Microsoft lists Age of Empires II: Definitive Edition Game versions from 1.0.0 up to, but not including, 101.103.46651.0 as affected. That makes 101.103.46651.0 the first version outside the vulnerable range documented in the CVE record.
Players should allow Steam or the Microsoft Store to finish updating the game and then confirm the installed version before playing. Simply checking that Windows Update completed is not sufficient: this vulnerability resides in the game, and its corrective update must arrive through the storefront or game-distribution channel responsible for that installation.
On Steam, players can check the game’s Properties and Updates pages, review the Downloads queue, and use “Verify integrity of game files” if the expected build does not install correctly. Microsoft Store and Xbox app users should check the Library or Downloads section for pending updates and restart the client if it continues to launch an older build.
Administrators responsible for shared gaming PCs, esports systems, labs, or managed recreation machines should inventory the executable rather than assume consumer storefronts have updated it. Automatic game updates can be delayed by a suspended client, limited maintenance windows, insufficient disk space, disconnected machines, or users launching through an offline configuration.
Until the corrected version is installed, the safest action is not to run the affected game. Disabling multiplayer alone cannot be treated as a verified workaround because Microsoft has not publicly identified the vulnerable input path or stated that exploitation is limited to a specific online mode.

A Path Traversal Bug With Code-Execution Consequences​

Relative path traversal occurs when software accepts or constructs a file path without adequately preventing sequences that navigate outside an intended directory. An attacker may use crafted path components to make an application read, create, replace, or extract files somewhere the developer did not intend.
That does not automatically produce remote code execution in every application. In this case, however, Microsoft explicitly assigns the maximum CVSS impact values for confidentiality, integrity, and availability, indicating that successful exploitation could give an attacker substantial control within the security context of the player running the game.
The advisory’s network attack vector does not mean an exposed Windows PC can necessarily be compromised merely because Age of Empires II: Definitive Edition is installed. The CVSS vector also includes “user interaction required,” meaning the victim must perform some action before exploitation can succeed.
Microsoft has not said whether that action involves joining a multiplayer game, accepting transferred content, loading a crafted scenario, installing a mod, opening a replay, or following some other game-specific workflow. Those are all categories that security teams may reasonably examine in software with community content and networking features, but assigning this CVE to any one of them without vendor confirmation would be speculation.
That lack of detail makes version-based remediation especially important. Blocking one suspected content type or restricting one game mode may reduce exposure, but it cannot substitute for installing the fixed build when the actual attack surface remains undisclosed.

Microsoft Calls the Vulnerability Confirmed, Not Exploited​

The CVE’s scoring data provides a more useful risk picture than the “remote code execution” label alone. Microsoft assigns CVE-2026-50663 a CVSS 3.1 base score of 8.8 and rates it High rather than Critical.
The vector describes exploitation as:
  • An attacker can reach the vulnerable component over a network.
  • The attack requires low complexity and no existing privileges.
  • A user must take an action for exploitation to complete.
  • Successful exploitation can have high confidentiality, integrity, and availability impact.
Microsoft’s temporal scoring also marks exploit-code maturity as unproven. That means the vendor was not reporting reliable public exploit code as part of the advisory’s initial assessment. It should not be interpreted as a guarantee that no researcher or attacker has developed a working exploit privately.
The report-confidence field is marked confirmed. This is the metric described in Microsoft’s advisory text as measuring confidence in the vulnerability’s existence and the credibility of the available technical information. In practical terms, Microsoft is not publishing a tentative suspicion: the vendor considers the flaw real and has identified a specific corrected version.
The remediation level is listed as an official fix. Microsoft’s initial CVE record does not indicate that CVE-2026-50663 was publicly disclosed before coordinated publication or that it was being actively exploited when the advisory appeared.
Those distinctions matter for patch prioritization. An actively exploited Windows service vulnerability exposed without user interaction would demand a different emergency response, but a confirmed, unauthenticated, low-complexity RCE in a widely used game still merits rapid installation of the vendor update.

Gaming PCs Are Not Security Islands​

The immediate audience is individual players, but the potential blast radius depends on where the game is installed. A home gaming PC may contain browser sessions, cloud-storage folders, saved credentials, source-code repositories, cryptocurrency wallets, or access to work systems through VPN and remote-management software.
The game normally runs with the logged-in user’s permissions. Consequently, successful code execution could affect data and applications accessible to that account, even if it does not automatically grant SYSTEM-level or administrator privileges. Running games from an administrator account would increase the potential damage.
Organizations that permit games on corporate hardware should treat the advisory as an application-management issue, not dismiss it because the vulnerable product is entertainment software. Endpoint tools should identify installations below 101.103.46651.0, while application-control policies can temporarily prevent launch on systems that cannot be updated immediately.
Security monitoring may also need to distinguish expected game behavior from suspicious child processes or unexpected file creation. Because Microsoft has not released detailed indicators of compromise or a technical exploitation sequence, defenders should avoid overly narrow detections based on an assumed attack method.
Players should also resist downloading unofficial “security patches,” modified executables, or repackaged installers that claim to address CVE-2026-50663. The legitimate remediation is the updated game distributed through an authorized channel.
For Age of Empires II: Definitive Edition users, the actionable boundary is clear even though the exploit mechanics are not: do not remain on a build below 101.103.46651.0. The unresolved question is how malicious input reaches the vulnerable path-handling code, but installing the corrected version removes the need to bet a Windows account on that missing detail.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: ageofempires.com
  3. Related coverage: support.ageofempires.com
 

Back
Top