Microsoft has patched CVE-2026-50690, an Important-rated Windows SMB vulnerability that can let a locally authenticated attacker expose sensitive information. The flaw was addressed in the July 14, 2026 security updates and carries a CVSS 3.1 base score of 5.5.
Detailed in Microsoft’s Security Response Center advisory, the vulnerability stems from Windows SMB using an uninitialized resource. Microsoft says exploitation requires local access and low privileges, but no user interaction. The company has confirmed the vulnerability while reporting no public disclosure or known exploitation at publication time.
That combination makes CVE-2026-50690 less immediately dangerous than a remotely exploitable SMB bug, but not irrelevant. SMB operates close to data, credentials, shared storage, and core Windows networking, so unintended memory disclosure can provide information useful in a broader attack.
Microsoft describes CVE-2026-50690 as a local information-disclosure vulnerability. The CVSS vector is
The attacker needs low-level privileges, and exploitation is considered low complexity. No victim needs to click a link, open a document, connect to a malicious share, or approve a prompt. Successful exploitation could produce a high confidentiality impact, although Microsoft assigns no direct integrity or availability impact.
This is therefore not an SMB worm, an unauthenticated network takeover, or another SMBGhost-style emergency. Exposing TCP port 445 to the internet is poor security practice, but that exposure alone does not satisfy the local attack requirement documented for CVE-2026-50690.
The likely enterprise concern is post-compromise leverage. An attacker who has obtained an ordinary user session through phishing, stolen credentials, malicious software, or another vulnerability may be able to use this flaw to retrieve information that should not be available at that privilege level. Microsoft has not publicly specified exactly what data can be recovered, so claims about credentials, encryption keys, kernel addresses, or document contents would go beyond the available evidence.
The weakness is classified as CWE-908, or use of an uninitialized resource. This class of bug occurs when software exposes or acts on a resource before it has been placed into a defined state. In an information-disclosure scenario, a buffer or structure can potentially retain data from earlier operations and return fragments that were never intended for the requesting process.
The same vector includes
Those two facts can coexist: the vulnerability is confirmed, but working public exploitation has not been confirmed. Report confidence answers whether the defect is real. It does not mean that researchers or attackers have released a proof of concept, nor does it establish that criminal groups are using it.
The vector also carries
Microsoft rates CVE-2026-50690 Important even though its numerical CVSS score falls in the medium range. That distinction is common in Microsoft advisories because the company’s severity rating incorporates product-specific impact and servicing considerations rather than simply copying the CVSS category.
For Windows 11 version 24H2 and Windows 11 version 25H2, the July security release is KB5101650, taking the operating systems to builds 26100.8875 and 26200.8875 respectively. Windows Server 2025 receives its July fixes through KB5099536. Other supported releases have their own corresponding cumulative or security-only packages.
Administrators should use the Microsoft Security Response Center and Windows release-health documentation to map each managed operating-system version to the correct KB. The CVE is not serviced as a small standalone SMB hotfix; remediation arrives as part of the relevant cumulative security update.
That matters operationally because July 2026 is an unusually large Microsoft security release. BleepingComputer counted 570 vulnerabilities addressed across Microsoft products, including 102 information-disclosure issues. CVE-2026-50690 can easily disappear inside that volume, while the same cumulative packages also correct substantially more severe remote-code-execution and privilege-escalation vulnerabilities.
Security teams should not evaluate the July cumulative updates solely around this one CVE. Even if a risk-based process places CVE-2026-50690 behind internet-facing or actively exploited flaws, installing the cumulative update closes the entire supported set for that Windows build.
CVE-2026-50690’s local requirement reduces the value of network-edge scanning for this specific defect. A scanner can establish whether the relevant July update is installed, but probing port 445 does not prove that the information leak is exploitable. Tenable’s July update checks similarly rely on the host’s reported Windows version and patch state rather than attempting exploitation.
Practical deployment should focus on a few concrete steps:
CVE-2026-50690 does not carry the attack profile that made earlier SMB vulnerabilities synonymous with rapid network compromise. Its risk is quieter: a confirmed, low-complexity information leak available to an attacker who already has a foothold.
The immediate milestone is patch verification. Once July’s cumulative updates clear compatibility testing, administrators should confirm the installed KB and OS build on Windows clients and servers rather than assuming routine Windows Update policy has completed the job.
Detailed in Microsoft’s Security Response Center advisory, the vulnerability stems from Windows SMB using an uninitialized resource. Microsoft says exploitation requires local access and low privileges, but no user interaction. The company has confirmed the vulnerability while reporting no public disclosure or known exploitation at publication time.
That combination makes CVE-2026-50690 less immediately dangerous than a remotely exploitable SMB bug, but not irrelevant. SMB operates close to data, credentials, shared storage, and core Windows networking, so unintended memory disclosure can provide information useful in a broader attack.
The Attack Starts After Access
Microsoft describes CVE-2026-50690 as a local information-disclosure vulnerability. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which spells out the practical conditions clearly: an attacker must already be able to run code or operate under an account on the vulnerable machine.The attacker needs low-level privileges, and exploitation is considered low complexity. No victim needs to click a link, open a document, connect to a malicious share, or approve a prompt. Successful exploitation could produce a high confidentiality impact, although Microsoft assigns no direct integrity or availability impact.
This is therefore not an SMB worm, an unauthenticated network takeover, or another SMBGhost-style emergency. Exposing TCP port 445 to the internet is poor security practice, but that exposure alone does not satisfy the local attack requirement documented for CVE-2026-50690.
The likely enterprise concern is post-compromise leverage. An attacker who has obtained an ordinary user session through phishing, stolen credentials, malicious software, or another vulnerability may be able to use this flaw to retrieve information that should not be available at that privilege level. Microsoft has not publicly specified exactly what data can be recovered, so claims about credentials, encryption keys, kernel addresses, or document contents would go beyond the available evidence.
The weakness is classified as CWE-908, or use of an uninitialized resource. This class of bug occurs when software exposes or acts on a resource before it has been placed into a defined state. In an information-disclosure scenario, a buffer or structure can potentially retain data from earlier operations and return fragments that were never intended for the requesting process.
Microsoft’s Confidence Metrics Need Careful Reading
The advisory’s vulnerability-confidence language should not be confused with exploit likelihood. Microsoft’s CVSS temporal vector includesRC:C, meaning report confidence confirmed. That indicates the vendor accepts the vulnerability and its technical basis as established, rather than treating it as an unverified or incomplete report.The same vector includes
E:U, meaning the exploit-code maturity was unproven when Microsoft published the advisory. The Zero Day Initiative’s July Patch Tuesday review likewise listed CVE-2026-50690 as neither publicly disclosed nor exploited in the wild. SANS Internet Storm Center reported the same status in its July 14 vulnerability overview.Those two facts can coexist: the vulnerability is confirmed, but working public exploitation has not been confirmed. Report confidence answers whether the defect is real. It does not mean that researchers or attackers have released a proof of concept, nor does it establish that criminal groups are using it.
The vector also carries
RL:O, indicating that an official remediation is available. For administrators, that is the actionable part of the temporal score: Microsoft has shipped the correction through supported Windows security updates, so there is little reason to leave the issue exposed beyond normal testing and deployment windows.Microsoft rates CVE-2026-50690 Important even though its numerical CVSS score falls in the medium range. That distinction is common in Microsoft advisories because the company’s severity rating incorporates product-specific impact and servicing considerations rather than simply copying the CVSS category.
The Patch Is Bundled Into July’s Cumulative Updates
CVE-2026-50690 affects multiple supported Windows client and server branches, including Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025 configurations listed in Microsoft’s update data. Server Core installations are included where applicable.For Windows 11 version 24H2 and Windows 11 version 25H2, the July security release is KB5101650, taking the operating systems to builds 26100.8875 and 26200.8875 respectively. Windows Server 2025 receives its July fixes through KB5099536. Other supported releases have their own corresponding cumulative or security-only packages.
Administrators should use the Microsoft Security Response Center and Windows release-health documentation to map each managed operating-system version to the correct KB. The CVE is not serviced as a small standalone SMB hotfix; remediation arrives as part of the relevant cumulative security update.
That matters operationally because July 2026 is an unusually large Microsoft security release. BleepingComputer counted 570 vulnerabilities addressed across Microsoft products, including 102 information-disclosure issues. CVE-2026-50690 can easily disappear inside that volume, while the same cumulative packages also correct substantially more severe remote-code-execution and privilege-escalation vulnerabilities.
Security teams should not evaluate the July cumulative updates solely around this one CVE. Even if a risk-based process places CVE-2026-50690 behind internet-facing or actively exploited flaws, installing the cumulative update closes the entire supported set for that Windows build.
SMB Servers Deserve the Shorter Deployment Window
Workstations are affected, but systems where SMB plays a central role deserve earlier attention. That includes Windows file servers, domain infrastructure, Remote Desktop Session Hosts, backup servers, application servers using SMB paths, and multi-user systems where less-trusted accounts operate alongside privileged services.CVE-2026-50690’s local requirement reduces the value of network-edge scanning for this specific defect. A scanner can establish whether the relevant July update is installed, but probing port 445 does not prove that the information leak is exploitable. Tenable’s July update checks similarly rely on the host’s reported Windows version and patch state rather than attempting exploitation.
Practical deployment should focus on a few concrete steps:
- Administrators should identify machines missing the July 14, 2026 cumulative security update for their Windows release.
- File servers and shared-session systems should receive priority because they combine SMB activity with multiple users, services, and security contexts.
- Security teams should monitor Microsoft Defender for Endpoint and other EDR tools for unusual local processes interacting with SMB components after an initial account compromise.
- Organizations should continue restricting administrative access and separating privileged sessions from everyday user activity.
- Internet-facing SMB should remain blocked, even though CVE-2026-50690 itself is documented as a local vulnerability.
CVE-2026-50690 does not carry the attack profile that made earlier SMB vulnerabilities synonymous with rapid network compromise. Its risk is quieter: a confirmed, low-complexity information leak available to an attacker who already has a foothold.
The immediate milestone is patch verification. Once July’s cumulative updates clear compatibility testing, administrators should confirm the installed KB and OS build on Windows clients and servers rather than assuming routine Windows Update policy has completed the job.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com