CVE-2026-50673 is a newly patched Windows Kernel elevation-of-privilege vulnerability that can let a locally authenticated attacker cross a security boundary and gain extensive control of an affected system. Microsoft addressed the flaw in its July 14, 2026 security updates, covering supported Windows 10, Windows 11, and Windows Server releases.
Detailed in Microsoft’s Security Update Guide and subsequently published by the National Vulnerability Database, the vulnerability carries a CVSS 3.1 score of 7.8, rated High. Microsoft classifies the update itself as Important. Administrators should deploy the applicable July cumulative update rather than waiting for more public technical detail, particularly on multiuser systems, development machines, remote desktop hosts, and servers where a compromised low-privilege account could become a route to SYSTEM-level access.
Microsoft and CISA currently report no known exploitation. The Zero Day Initiative’s July update review also lists CVE-2026-50673 as neither publicly disclosed nor exploited at release time.
Microsoft describes CVE-2026-50673 as a NULL pointer dereference in the Windows Kernel that allows an authorized attacker to elevate privileges locally. The record associates the flaw with both CWE-476, NULL Pointer Dereference, and CWE-367, a time-of-check to time-of-use race condition.
A TOCTOU condition occurs when software validates the state of an object and later uses it under the assumption that the state has not changed. If an attacker can alter the relevant state between those operations, the program may act on invalid or attacker-controlled conditions. Race vulnerabilities can be difficult to exploit reliably because success depends on timing, which is consistent with Microsoft assigning CVE-2026-50673 a High attack-complexity rating.
The CVSS vector specifies a local attack requiring low privileges and no user interaction. In practical terms, this is not a vulnerability that an unauthenticated attacker can exploit directly over the network. An attacker must already be able to sign in or execute code on the target through another vulnerability, stolen credentials, malicious software, or an exposed interactive service.
That requirement limits the initial attack surface but does not make the flaw harmless. Elevation-of-privilege vulnerabilities commonly serve as the second stage of an intrusion: one weakness gets code onto the PC, while the kernel flaw removes the remaining restrictions.
Microsoft’s impact assessment assigns High potential losses to confidentiality, integrity, and availability. The CVSS scope is also marked as changed, indicating that successful exploitation can affect resources beyond the security authority in which the vulnerable operation begins. A successful exploit could therefore turn limited local access into broad control of the Windows installation.
Affected systems include:
For servers, the corrected thresholds include build 14393.9339 for Windows Server 2016, 17763.9020 for Windows Server 2019, 20348.5386 for Windows Server 2022, and 26100.33158 for Windows Server 2025. Windows Server 2012 and 2012 R2 require their corresponding July security packages under the applicable Extended Security Updates arrangement.
These build numbers matter because checking only whether Windows Update recently ran can produce false confidence. A machine may have scanned successfully while an update remains pending, blocked by policy, deferred by a management ring, or awaiting a restart. Administrators should verify the installed OS build through
The same CISA entry assigns a total technical impact, however. This distinction is important: CVE-2026-50673 may be harder to weaponize than a straightforward low-complexity bug, but the result could be severe if exploitation succeeds.
Race conditions are also sensitive to details such as processor scheduling, memory layout, core count, and system load. Those variables can make early proof-of-concept code unreliable without preventing attackers from refining it over time. Kernel vulnerabilities receive sustained research attention because a dependable privilege-escalation primitive can be reused after many different initial-access techniques.
Microsoft has not published exploit code, a detailed attack sequence, or a workaround separate from installing the security update. There is likewise no indication at publication that CVE-2026-50673 has been added to CISA’s Known Exploited Vulnerabilities catalog. Organizations should treat those facts as evidence about current threat activity, not as a guarantee that exploitation will remain unavailable.
The “report confidence” language shown in vulnerability scoring interfaces describes how firmly a vulnerability and its technical basis have been established. In this case, the flaw has been acknowledged and patched by Microsoft, and the CVE record identifies concrete weakness classes and affected build ranges. The vendor confirmation provides high confidence that the underlying vulnerability exists even though Microsoft has withheld the low-level information that would explain precisely how the kernel race is triggered.
Enterprise prioritization should start with systems where untrusted or semi-trusted users can execute applications. Remote Desktop Session Hosts, virtual desktop infrastructure, shared workstations, build agents, classroom and laboratory PCs, and servers running third-party workloads all provide environments in which a low-privilege foothold has greater value.
Security teams should also consider attack chains rather than evaluating this CVE in isolation. Browser flaws, document-based code execution, credential theft, malicious installers, and exposed remote-management tools can provide the local access that CVE-2026-50673 requires. Kernel privilege escalation can then help an attacker disable defenses, access protected credentials, manipulate system files, install persistent services, or interfere with logging.
Deployment teams still need to follow normal cumulative-update testing, especially across domain controllers, Hyper-V hosts, line-of-business servers, and machines using sensitive endpoint drivers. But because Microsoft provides no standalone mitigation, prolonged deferral leaves the vulnerable kernel code in place.
The operational target is concrete: install the July 14, 2026 Windows security update, reboot where required, and confirm that each device has reached or exceeded Microsoft’s corrected build for its release. Until those build checks are complete, CVE-2026-50673 remains an available escalation path for any attacker who has already crossed the first line of defense.
Detailed in Microsoft’s Security Update Guide and subsequently published by the National Vulnerability Database, the vulnerability carries a CVSS 3.1 score of 7.8, rated High. Microsoft classifies the update itself as Important. Administrators should deploy the applicable July cumulative update rather than waiting for more public technical detail, particularly on multiuser systems, development machines, remote desktop hosts, and servers where a compromised low-privilege account could become a route to SYSTEM-level access.
Microsoft and CISA currently report no known exploitation. The Zero Day Initiative’s July update review also lists CVE-2026-50673 as neither publicly disclosed nor exploited at release time.
A Race Condition Inside the Windows Kernel
Microsoft describes CVE-2026-50673 as a NULL pointer dereference in the Windows Kernel that allows an authorized attacker to elevate privileges locally. The record associates the flaw with both CWE-476, NULL Pointer Dereference, and CWE-367, a time-of-check to time-of-use race condition.A TOCTOU condition occurs when software validates the state of an object and later uses it under the assumption that the state has not changed. If an attacker can alter the relevant state between those operations, the program may act on invalid or attacker-controlled conditions. Race vulnerabilities can be difficult to exploit reliably because success depends on timing, which is consistent with Microsoft assigning CVE-2026-50673 a High attack-complexity rating.
The CVSS vector specifies a local attack requiring low privileges and no user interaction. In practical terms, this is not a vulnerability that an unauthenticated attacker can exploit directly over the network. An attacker must already be able to sign in or execute code on the target through another vulnerability, stolen credentials, malicious software, or an exposed interactive service.
That requirement limits the initial attack surface but does not make the flaw harmless. Elevation-of-privilege vulnerabilities commonly serve as the second stage of an intrusion: one weakness gets code onto the PC, while the kernel flaw removes the remaining restrictions.
Microsoft’s impact assessment assigns High potential losses to confidentiality, integrity, and availability. The CVSS scope is also marked as changed, indicating that successful exploitation can affect resources beyond the security authority in which the vulnerable operation begins. A successful exploit could therefore turn limited local access into broad control of the Windows installation.
The Patch Reaches Back Across the Windows Fleet
The affected-product list is unusually broad because the vulnerability resides in a central Windows component. Microsoft identifies supported configurations spanning older Windows Server deployments, remaining Windows 10 servicing channels, and current Windows 11 releases.Affected systems include:
- Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected where those editions remain eligible for security servicing.
- Windows 11 versions 24H2, 25H2, and 26H1 are affected on x64 and Arm64 hardware.
- Windows Server 2012 and Windows Server 2012 R2 are affected, including Server Core installations.
- Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected.
- Server Core variants of Windows Server 2016, 2019, and 2025 are included in Microsoft’s product record.
For servers, the corrected thresholds include build 14393.9339 for Windows Server 2016, 17763.9020 for Windows Server 2019, 20348.5386 for Windows Server 2022, and 26100.33158 for Windows Server 2025. Windows Server 2012 and 2012 R2 require their corresponding July security packages under the applicable Extended Security Updates arrangement.
These build numbers matter because checking only whether Windows Update recently ran can produce false confidence. A machine may have scanned successfully while an update remains pending, blocked by policy, deferred by a management ring, or awaiting a restart. Administrators should verify the installed OS build through
winver, PowerShell, Microsoft Intune, Configuration Manager, Windows Update for Business reporting, or their vulnerability-management platform.High Complexity Is Not a Reason to Delay
CISA’s initial Stakeholder-Specific Vulnerability Categorization entry marks exploitation as “none” and describes the vulnerability as not readily automatable. That matches the local access and high-complexity characteristics in Microsoft’s CVSS vector.The same CISA entry assigns a total technical impact, however. This distinction is important: CVE-2026-50673 may be harder to weaponize than a straightforward low-complexity bug, but the result could be severe if exploitation succeeds.
Race conditions are also sensitive to details such as processor scheduling, memory layout, core count, and system load. Those variables can make early proof-of-concept code unreliable without preventing attackers from refining it over time. Kernel vulnerabilities receive sustained research attention because a dependable privilege-escalation primitive can be reused after many different initial-access techniques.
Microsoft has not published exploit code, a detailed attack sequence, or a workaround separate from installing the security update. There is likewise no indication at publication that CVE-2026-50673 has been added to CISA’s Known Exploited Vulnerabilities catalog. Organizations should treat those facts as evidence about current threat activity, not as a guarantee that exploitation will remain unavailable.
The “report confidence” language shown in vulnerability scoring interfaces describes how firmly a vulnerability and its technical basis have been established. In this case, the flaw has been acknowledged and patched by Microsoft, and the CVE record identifies concrete weakness classes and affected build ranges. The vendor confirmation provides high confidence that the underlying vulnerability exists even though Microsoft has withheld the low-level information that would explain precisely how the kernel race is triggered.
Patch Priority Depends on Who Can Run Code
For ordinary home PCs receiving Windows cumulative updates automatically, the immediate action is to install the July 2026 update and complete the required restart. The absence of remote, unauthenticated exploitation means there is no special firewall rule or internet-facing service that users need to disable for CVE-2026-50673.Enterprise prioritization should start with systems where untrusted or semi-trusted users can execute applications. Remote Desktop Session Hosts, virtual desktop infrastructure, shared workstations, build agents, classroom and laboratory PCs, and servers running third-party workloads all provide environments in which a low-privilege foothold has greater value.
Security teams should also consider attack chains rather than evaluating this CVE in isolation. Browser flaws, document-based code execution, credential theft, malicious installers, and exposed remote-management tools can provide the local access that CVE-2026-50673 requires. Kernel privilege escalation can then help an attacker disable defenses, access protected credentials, manipulate system files, install persistent services, or interfere with logging.
Deployment teams still need to follow normal cumulative-update testing, especially across domain controllers, Hyper-V hosts, line-of-business servers, and machines using sensitive endpoint drivers. But because Microsoft provides no standalone mitigation, prolonged deferral leaves the vulnerable kernel code in place.
The operational target is concrete: install the July 14, 2026 Windows security update, reboot where required, and confirm that each device has reached or exceeded Microsoft’s corrected build for its release. Until those build checks are complete, CVE-2026-50673 remains an available escalation path for any attacker who has already crossed the first line of defense.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org