CVE-2026-50696 exposes supported Windows clients and servers to a network-based denial-of-service attack against the Internet Key Exchange protocol, making July’s cumulative Windows updates a priority for systems that terminate IPsec or VPN connections. Microsoft rates the heap-based buffer overflow Important with a CVSS 3.1 score of 7.5.
Detailed in the Microsoft Security Response Center’s July 14 advisory, the flaw allows an unauthorized attacker to disrupt an affected system by sending malicious traffic over a network. No account, local access, or user interaction is required. Microsoft describes the vulnerability as confirmed, meaning the vendor has sufficient evidence to verify both its existence and the underlying technical details.
Microsoft said CVE-2026-50696 was neither publicly disclosed nor known to be exploited when the patches were released on July 14, 2026. Zero Day Initiative’s July security review likewise records no public disclosure or active exploitation, while BleepingComputer lists the issue among 35 denial-of-service vulnerabilities addressed in Microsoft’s unusually large July Patch Tuesday release.
Internet Key Exchange is used to negotiate security associations and cryptographic material for IPsec. On Windows, it sits behind networking features such as IPsec policies, certain VPN configurations, and the Routing and Remote Access Service. IKE normally uses UDP port 500, with UDP port 4500 commonly involved when NAT traversal is required.
CVE-2026-50696 stems from a heap-based buffer overflow in the Windows IKE implementation. According to Microsoft’s CVE description, specially crafted network input can trigger the memory error and deny service to the target.
That outcome is narrower than remote code execution: Microsoft identifies no confidentiality or integrity impact, and the advisory does not say an attacker can execute commands or steal information. The security consequence is availability loss, potentially interrupting the Windows component or system handling affected IKE traffic.
The CVSS score nevertheless reflects an uncomfortable attack profile. The flaw is reachable across a network, requires no prior privileges and needs no action from an administrator or signed-in user. An attacker does not need to convince someone to open an attachment, visit a website, or establish an authenticated VPN session first.
Microsoft’s Important rating should therefore not be interpreted as “safe to postpone” on VPN gateways. A denial of service against an employee workstation and a denial of service against a Windows Server endpoint carrying site-to-site IPsec traffic have materially different operational consequences, even though both installations contain the same vulnerable code.
Not every patched Windows machine presents equal exposure. Systems that do not accept IKE traffic from untrusted networks are less attractive targets than public VPN concentrators, RRAS servers, IPsec gateways, or hosts covered by connection security rules.
Administrators should identify where UDP 500 and UDP 4500 are permitted through perimeter firewalls, cloud network security groups and host firewalls. That inventory should include multihomed Windows servers and appliances sitting behind NAT, since an external address may forward IKE traffic to an internal Windows endpoint that is not obviously Internet-facing.
A practical review should cover:
The affected-version data identifies build 19045.7548 as the corrected threshold for Windows 10 22H2 and build 17763.9020 for the Windows 10 1809 and Windows Server 2019 code line. Windows Server 2022 receives KB5099540, moving to build 20348.5386, while the corrected Windows Server 2025 branch is build 26100.33158.
These are cumulative updates rather than isolated IKE hotfixes. Deploying them also brings July’s other Windows security and quality changes, which makes staged validation important despite the network exposure of CVE-2026-50696.
Microsoft currently reports no known issues for KB5101650 on Windows 11 24H2 and 25H2. Windows Server 2022 has a documented BitLocker recovery risk on a limited set of managed systems using an unrecommended PCR7 Group Policy configuration, so administrators should review Microsoft’s conditions and retain recovery keys before broad deployment.
That testing requirement should not become an excuse for an open-ended delay. Internet-accessible IKE endpoints belong in an early deployment ring, followed by internal VPN and IPsec infrastructure and then the broader Windows estate. Organizations with redundant gateways can patch one node, validate tunnel establishment and rekeying, and then move through the remaining nodes.
It does not mean attacks have been observed. Microsoft’s initial assessment says CVE-2026-50696 was not publicly disclosed and was not being exploited when published. Zero Day Initiative records the same status.
Nor does confirmation prove that reliable exploit code is publicly available. It does indicate that Microsoft has moved beyond a speculative report and issued an official correction for a verified memory-safety bug. That distinction matters when triaging a Patch Tuesday containing hundreds of CVEs: this is a concrete flaw with a network attack path, even if it was not a zero-day on release day.
Security teams should watch for any revision to Microsoft’s exploitability assessment, public proof-of-concept code, or additions to government exploited-vulnerability catalogs. IKE traffic has a relatively well-defined network footprint, giving defenders a better opportunity to correlate sudden service failures with inbound UDP 500 or 4500 activity than they would have with many client-side crashes.
For now, the concrete action is straightforward: bring exposed Windows IKE and IPsec endpoints to their July 14, 2026 servicing level, verify that VPN tunnels and security associations recover normally after restart, and confirm the installed OS build rather than relying solely on a deployment console’s success status.
Detailed in the Microsoft Security Response Center’s July 14 advisory, the flaw allows an unauthorized attacker to disrupt an affected system by sending malicious traffic over a network. No account, local access, or user interaction is required. Microsoft describes the vulnerability as confirmed, meaning the vendor has sufficient evidence to verify both its existence and the underlying technical details.
Microsoft said CVE-2026-50696 was neither publicly disclosed nor known to be exploited when the patches were released on July 14, 2026. Zero Day Initiative’s July security review likewise records no public disclosure or active exploitation, while BleepingComputer lists the issue among 35 denial-of-service vulnerabilities addressed in Microsoft’s unusually large July Patch Tuesday release.
A Heap Overflow at the VPN Negotiation Layer
Internet Key Exchange is used to negotiate security associations and cryptographic material for IPsec. On Windows, it sits behind networking features such as IPsec policies, certain VPN configurations, and the Routing and Remote Access Service. IKE normally uses UDP port 500, with UDP port 4500 commonly involved when NAT traversal is required.CVE-2026-50696 stems from a heap-based buffer overflow in the Windows IKE implementation. According to Microsoft’s CVE description, specially crafted network input can trigger the memory error and deny service to the target.
That outcome is narrower than remote code execution: Microsoft identifies no confidentiality or integrity impact, and the advisory does not say an attacker can execute commands or steal information. The security consequence is availability loss, potentially interrupting the Windows component or system handling affected IKE traffic.
The CVSS score nevertheless reflects an uncomfortable attack profile. The flaw is reachable across a network, requires no prior privileges and needs no action from an administrator or signed-in user. An attacker does not need to convince someone to open an attachment, visit a website, or establish an authenticated VPN session first.
Microsoft’s Important rating should therefore not be interpreted as “safe to postpone” on VPN gateways. A denial of service against an employee workstation and a denial of service against a Windows Server endpoint carrying site-to-site IPsec traffic have materially different operational consequences, even though both installations contain the same vulnerable code.
Exposure Depends on Where Windows Handles IKE
The affected-product range is broad. Microsoft’s vulnerability data covers Windows 10 Version 1809, Windows 10 versions 21H2 and 22H2, Windows 11 versions 24H2, 25H2 and 26H1, plus Windows Server 2019, Windows Server 2022 and Windows Server 2025. Server Core installations are included where applicable.Not every patched Windows machine presents equal exposure. Systems that do not accept IKE traffic from untrusted networks are less attractive targets than public VPN concentrators, RRAS servers, IPsec gateways, or hosts covered by connection security rules.
Administrators should identify where UDP 500 and UDP 4500 are permitted through perimeter firewalls, cloud network security groups and host firewalls. That inventory should include multihomed Windows servers and appliances sitting behind NAT, since an external address may forward IKE traffic to an internal Windows endpoint that is not obviously Internet-facing.
A practical review should cover:
- Windows Server systems running Routing and Remote Access Service should receive accelerated testing and deployment.
- Public IP addresses allowing UDP 500 or UDP 4500 should be mapped to the Windows hosts that ultimately process the traffic.
- Site-to-site IPsec endpoints should be checked for redundancy before patching to avoid turning a maintenance restart into an outage.
- Endpoint security and network monitoring should be reviewed for repeated malformed or abnormal IKE negotiations.
- Unsupported Windows releases should not be assumed safe merely because they are absent from the supported-update table.
July Builds Carry the Fix
For Windows 11 24H2 and 25H2, Microsoft delivers the correction through KB5101650, taking those platforms to OS builds 26100.8875 and 26200.8875 respectively. Windows 11 26H1 receives KB5101649 and moves to build 28000.2525.The affected-version data identifies build 19045.7548 as the corrected threshold for Windows 10 22H2 and build 17763.9020 for the Windows 10 1809 and Windows Server 2019 code line. Windows Server 2022 receives KB5099540, moving to build 20348.5386, while the corrected Windows Server 2025 branch is build 26100.33158.
These are cumulative updates rather than isolated IKE hotfixes. Deploying them also brings July’s other Windows security and quality changes, which makes staged validation important despite the network exposure of CVE-2026-50696.
Microsoft currently reports no known issues for KB5101650 on Windows 11 24H2 and 25H2. Windows Server 2022 has a documented BitLocker recovery risk on a limited set of managed systems using an unrecommended PCR7 Group Policy configuration, so administrators should review Microsoft’s conditions and retain recovery keys before broad deployment.
That testing requirement should not become an excuse for an open-ended delay. Internet-accessible IKE endpoints belong in an early deployment ring, followed by internal VPN and IPsec infrastructure and then the broader Windows estate. Organizations with redundant gateways can patch one node, validate tunnel establishment and rekeying, and then move through the remaining nodes.
Confirmation Raises Confidence, Not Exploitability
The “report confidence” language supplied with the advisory describes how certain Microsoft is that the vulnerability and its technical details are real. A Confirmed rating means detailed evidence exists, functional reproduction is possible, or the affected vendor has acknowledged the weakness.It does not mean attacks have been observed. Microsoft’s initial assessment says CVE-2026-50696 was not publicly disclosed and was not being exploited when published. Zero Day Initiative records the same status.
Nor does confirmation prove that reliable exploit code is publicly available. It does indicate that Microsoft has moved beyond a speculative report and issued an official correction for a verified memory-safety bug. That distinction matters when triaging a Patch Tuesday containing hundreds of CVEs: this is a concrete flaw with a network attack path, even if it was not a zero-day on release day.
Security teams should watch for any revision to Microsoft’s exploitability assessment, public proof-of-concept code, or additions to government exploited-vulnerability catalogs. IKE traffic has a relatively well-defined network footprint, giving defenders a better opportunity to correlate sudden service failures with inbound UDP 500 or 4500 activity than they would have with many client-side crashes.
For now, the concrete action is straightforward: bring exposed Windows IKE and IPsec endpoints to their July 14, 2026 servicing level, verify that VPN tunnels and security associations recover normally after restart, and confirm the installed OS build rather than relying solely on a deployment console’s success status.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com