CVE-2026-50687 is a high-scoring Windows Win32k elevation-of-privilege vulnerability that can let a locally authenticated attacker escape their existing security boundary and gain substantially greater control of a vulnerable PC or server. Microsoft addressed the flaw in its July 14, 2026 security releases for Windows 11 versions 24H2 and 25H2 and Windows Server 2025, while its published version data indicates Windows 11 version 26H1 was already protected at its June update level.
Detailed in the Microsoft Security Response Center’s Security Update Guide, CVE-2026-50687 carries a CVSS 3.1 base score of 8.8 High and is classified by Microsoft as Important. The National Vulnerability Database describes the underlying weakness as a use-after-free condition in the Windows kernel, although Microsoft’s advisory title identifies the affected area as Win32k.
Microsoft says the vulnerability was not publicly disclosed and was not known to be exploited when the advisory was published. Its exploitability assessment is Exploitation Less Likely, but there are no documented mitigations or workarounds to substitute for the relevant Windows security update.
CVE-2026-50687 is not a remote, unauthenticated entry point. Microsoft’s CVSS vector identifies a local attack requiring an attacker to already hold low-level privileges on the target, with no additional user interaction needed once the exploit is launched.
That distinction limits the ways an attacker can initially reach the vulnerability, but it does not make the flaw harmless. Local privilege-escalation vulnerabilities are commonly used after another technique has delivered code execution through phishing, a malicious document, a compromised application, stolen credentials, or an exposed remote-management service.
The CVSS vector is
The scope changed rating is particularly notable. It indicates that successful exploitation can cross from the security authority governing the vulnerable component into another security authority, rather than merely expanding access within the attacker’s original user context.
A successful attacker could therefore potentially read protected information, alter system data, disable security controls, install persistent components, or interfere with the operating system. Microsoft has not published exploit code or a detailed attack sequence, so those outcomes reflect the privileges represented by the CVSS assessment rather than a confirmed public proof of concept.
If an attacker can influence what occupies the freed memory, the stale reference may point to attacker-controlled or otherwise unexpected data. In a privileged Windows component, successful manipulation can turn a memory-management error into arbitrary memory access, code execution, or elevation of privilege.
Microsoft’s public material does not identify the specific Win32k function, object type, or system call involved. That omission matters because it prevents defenders from reliably detecting attempted exploitation through a narrow behavioral signature and prevents administrators from disabling one documented feature as a temporary defense.
The vendor has nevertheless marked the vulnerability’s report confidence as confirmed. That means Microsoft acknowledges the flaw’s existence and considers the available technical evidence sufficiently strong, even though the company has withheld the low-level details that would help attackers reproduce it.
Microsoft also states that successful exploitation requires an attacker to win a race condition. That introduces a timing dependency, but the advisory still assigns low attack complexity. Administrators should not interpret the race requirement as proof that exploitation would be impractical or unreliable on real systems.
Windows 11 versions 24H2 and 25H2 receive the correction through KB5101650, the July 14 cumulative security update. After installation, version 24H2 should report OS build 26100.8875, while version 25H2 should report build 26200.8875.
Windows Server 2025 receives KB5099536 and advances to OS build 26100.33158. Server Core is explicitly listed, so organizations cannot treat the absence of the full desktop shell as protection from this Win32k-related vulnerability.
The published protection points are:
The Windows 11 version 26H1 entry has an unusual chronology. Microsoft’s CVE data marks builds earlier than 28000.2269 as affected, but that build was delivered by KB5095051 on June 9, more than a month before CVE-2026-50687 was publicly documented on July 14.
That means a 26H1 installation already carrying the June 2026 cumulative update meets Microsoft’s stated corrected-build threshold. Administrators should still deploy the latest available 26H1 security update rather than deliberately stopping at June, since cumulative updates include later security corrections and supersede earlier packages.
Older products such as Windows 11 version 23H2, Windows 10, and Windows Server 2022 do not appear in the affected-product data published for this specific CVE. That should not be generalized into immunity from other Win32k or kernel vulnerabilities addressed in the much broader July security release.
Administrators can collect build data remotely through PowerShell, Microsoft Intune, Configuration Manager, Windows Update for Business reporting, or their endpoint-management platform. The key is to validate the resulting OS build rather than relying solely on a device reporting that an update scan completed successfully.
Windows Server 2025 deserves prompt attention because a server compromise can expose service credentials, application data, management interfaces, and connected infrastructure. Systems accepting interactive sessions, Remote Desktop connections, administrative tooling, or third-party workloads provide more opportunities for an attacker who has obtained an initial local foothold.
Deployment rings remain sensible, particularly for servers and specialized workstations, but CVE-2026-50687 offers no configuration-based workaround during an extended delay. Organizations that defer the cumulative update are accepting continued exposure until the corrected binaries are installed and the required restart completes.
The absence of known exploitation on July 14 is useful prioritization information, not a durable safety guarantee. Once cumulative updates are available, researchers and attackers can compare patched and unpatched binaries to identify the changed code—a process commonly described as patch diffing.
For Windows 11 24H2 and 25H2, the immediate operational target is KB5101650 and builds 26100.8875 or 26200.8875. For Windows Server 2025, including Server Core, it is KB5099536 and build 26100.33158; anything below those documented thresholds should remain in the July patch queue.
Detailed in the Microsoft Security Response Center’s Security Update Guide, CVE-2026-50687 carries a CVSS 3.1 base score of 8.8 High and is classified by Microsoft as Important. The National Vulnerability Database describes the underlying weakness as a use-after-free condition in the Windows kernel, although Microsoft’s advisory title identifies the affected area as Win32k.
Microsoft says the vulnerability was not publicly disclosed and was not known to be exploited when the advisory was published. Its exploitability assessment is Exploitation Less Likely, but there are no documented mitigations or workarounds to substitute for the relevant Windows security update.
A Local Foothold Can Become a System Compromise
CVE-2026-50687 is not a remote, unauthenticated entry point. Microsoft’s CVSS vector identifies a local attack requiring an attacker to already hold low-level privileges on the target, with no additional user interaction needed once the exploit is launched.That distinction limits the ways an attacker can initially reach the vulnerability, but it does not make the flaw harmless. Local privilege-escalation vulnerabilities are commonly used after another technique has delivered code execution through phishing, a malicious document, a compromised application, stolen credentials, or an exposed remote-management service.
The CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. In practical terms, Microsoft’s assessment says exploitation has low complexity, requires low privileges, and can produce high confidentiality, integrity, and availability impact.The scope changed rating is particularly notable. It indicates that successful exploitation can cross from the security authority governing the vulnerable component into another security authority, rather than merely expanding access within the attacker’s original user context.
A successful attacker could therefore potentially read protected information, alter system data, disable security controls, install persistent components, or interfere with the operating system. Microsoft has not published exploit code or a detailed attack sequence, so those outcomes reflect the privileges represented by the CVSS assessment rather than a confirmed public proof of concept.
Use-After-Free Bugs Turn Memory Reuse Into an Attack Surface
The CVE record maps CVE-2026-50687 to CWE-416, or use after free. This class of memory-safety flaw occurs when software continues to reference an object after the memory assigned to that object has been released.If an attacker can influence what occupies the freed memory, the stale reference may point to attacker-controlled or otherwise unexpected data. In a privileged Windows component, successful manipulation can turn a memory-management error into arbitrary memory access, code execution, or elevation of privilege.
Microsoft’s public material does not identify the specific Win32k function, object type, or system call involved. That omission matters because it prevents defenders from reliably detecting attempted exploitation through a narrow behavioral signature and prevents administrators from disabling one documented feature as a temporary defense.
The vendor has nevertheless marked the vulnerability’s report confidence as confirmed. That means Microsoft acknowledges the flaw’s existence and considers the available technical evidence sufficiently strong, even though the company has withheld the low-level details that would help attackers reproduce it.
Microsoft also states that successful exploitation requires an attacker to win a race condition. That introduces a timing dependency, but the advisory still assigns low attack complexity. Administrators should not interpret the race requirement as proof that exploitation would be impractical or unreliable on real systems.
The Patched Build Number Is the Useful Test
Microsoft’s affected-version data covers Windows 11 versions 24H2, 25H2, and 26H1, plus Windows Server 2025 with either Desktop Experience or Server Core. Both x64 and ARM64 systems are included for the affected Windows 11 releases.Windows 11 versions 24H2 and 25H2 receive the correction through KB5101650, the July 14 cumulative security update. After installation, version 24H2 should report OS build 26100.8875, while version 25H2 should report build 26200.8875.
Windows Server 2025 receives KB5099536 and advances to OS build 26100.33158. Server Core is explicitly listed, so organizations cannot treat the absence of the full desktop shell as protection from this Win32k-related vulnerability.
The published protection points are:
| Windows release | Protected build or later | Relevant update |
|---|---|---|
| Windows 11 version 24H2 | 26100.8875 | KB5101650 |
| Windows 11 version 25H2 | 26200.8875 | KB5101650 |
| Windows 11 version 26H1 | 28000.2269 | KB5095051 |
| Windows Server 2025 | 26100.33158 | KB5099536 |
| Windows Server 2025 Server Core | 26100.33158 | KB5099536 |
That means a 26H1 installation already carrying the June 2026 cumulative update meets Microsoft’s stated corrected-build threshold. Administrators should still deploy the latest available 26H1 security update rather than deliberately stopping at June, since cumulative updates include later security corrections and supersede earlier packages.
Older products such as Windows 11 version 23H2, Windows 10, and Windows Server 2022 do not appear in the affected-product data published for this specific CVE. That should not be generalized into immunity from other Win32k or kernel vulnerabilities addressed in the much broader July security release.
Inventory Before Assuming Windows Update Finished the Job
For individual Windows 11 systems, the fastest verification route is Settings, System, About, followed by the OS build shown under Windows specifications. Runningwinver provides the same essential version and build information.Administrators can collect build data remotely through PowerShell, Microsoft Intune, Configuration Manager, Windows Update for Business reporting, or their endpoint-management platform. The key is to validate the resulting OS build rather than relying solely on a device reporting that an update scan completed successfully.
Windows Server 2025 deserves prompt attention because a server compromise can expose service credentials, application data, management interfaces, and connected infrastructure. Systems accepting interactive sessions, Remote Desktop connections, administrative tooling, or third-party workloads provide more opportunities for an attacker who has obtained an initial local foothold.
Deployment rings remain sensible, particularly for servers and specialized workstations, but CVE-2026-50687 offers no configuration-based workaround during an extended delay. Organizations that defer the cumulative update are accepting continued exposure until the corrected binaries are installed and the required restart completes.
The absence of known exploitation on July 14 is useful prioritization information, not a durable safety guarantee. Once cumulative updates are available, researchers and attackers can compare patched and unpatched binaries to identify the changed code—a process commonly described as patch diffing.
For Windows 11 24H2 and 25H2, the immediate operational target is KB5101650 and builds 26100.8875 or 26200.8875. For Windows Server 2025, including Server Core, it is KB5099536 and build 26100.33158; anything below those documented thresholds should remain in the July patch queue.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org
- Related coverage: safe.security
Windows Win32k Elevation of Privilege Vulnerability [CVE-2021-1732]
In this research paper, you can learn about Windows Win32k elevation of privilege vulnerability (CVE-2021-1732) and how it works. Download it here.safe.security
- Related coverage: windowsforum.com
CVE-2026-49166: Patch Windows 11 Print Privilege Escalation | Windows Forum
CVE-2026-49166 is a newly patched Windows Print Configuration vulnerability that allows an authenticated local attacker to elevate privileges by triggering...windowsforum.com