CVE-2026-54997: Install July Updates to Fix Windows SMB Memory Leak

CVE-2026-54997 exposes sensitive memory through Windows SMB, and Microsoft has shipped the fix across supported Windows 10, Windows 11, and Windows Server releases in the July 14, 2026 security updates. Administrators should deploy the relevant cumulative update rather than attempting to mitigate the flaw by disabling file sharing or blocking SMB at the network boundary.
Detailed in Microsoft’s Security Update Guide, the vulnerability stems from Windows SMB using an uninitialized resource. An authorized attacker with local access and low privileges could exploit that condition to read information that should not be available to the attacking process.
Microsoft rates CVE-2026-54997 as Important, with a CVSS 3.1 base score of 5.5. The vulnerability was not publicly disclosed or known to be exploited when the update was released, according to Microsoft’s assessment as reproduced in the Zero Day Initiative’s July security review.

Illustration of an SMB memory disclosure risk exposing sensitive data between a Windows workstation and file server.The Attack Starts on the Windows Machine​

Despite SMB’s reputation as a network-facing protocol, CVE-2026-54997 is not scored as a remote attack. Its CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, placing the attacker locally on the affected computer and requiring an existing low-privilege account or equivalent code execution context.
That distinction matters. An anonymous attacker cannot simply send crafted traffic to TCP port 445 and use this CVE to extract data from an exposed Windows server. The vulnerability instead becomes relevant after an attacker has already gained limited access through a compromised account, malicious program, vulnerable service, or another security flaw.
No user interaction is required once that foothold exists, and Microsoft assesses the attack complexity as low. The confidentiality impact is high, while integrity and availability are unaffected: successful exploitation can reveal information, but CVE-2026-54997 does not by itself let an attacker alter data, execute code with higher privileges, or crash the system.
Microsoft maps the bug to CWE-908, Use of Uninitialized Resource. This class of weakness occurs when software consumes memory or another resource before its contents or state have been properly initialized. Depending on the affected code path, residual contents can cross a security boundary and become visible to an unauthorized process.
Microsoft has not publicly identified the precise SMB operation involved or described the exposed information. The Security Update Guide’s wording therefore supports treating the flaw as a potentially significant memory disclosure without assuming that it directly leaks passwords, NTLM credentials, file contents, or cryptographic keys.
That uncertainty is important for risk assessment. Information-disclosure vulnerabilities frequently expose memory addresses or fragments of process memory, but the practical value depends on what occupies the affected resource when the condition is triggered. A leak may be useful for bypassing exploit mitigations, gathering system details, or extracting data from another security context, even if it does not provide a complete compromise on its own.

Supported Clients and Servers Share the Same Exposure​

The affected-product range stretches across current Windows clients, long-term servicing releases, and multiple Windows Server generations. It includes Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2012 through Windows Server 2025.
Windows 10 Version 1607, Version 1809, Version 21H2, and Version 22H2 also appear in the affected data. Whether a particular installation receives the correction through normal servicing, an LTSC channel, or an Extended Security Updates entitlement still depends on that edition’s support status.
The fixed build thresholds published with the CVE include:
  • Windows 11 versions 24H2 and 25H2 are corrected at builds 26100.8875 and 26200.8875.
  • Windows 11 version 26H1 is corrected at build 28000.2525.
  • Windows Server 2025 is corrected at build 26100.33158.
  • Windows Server 2022 is corrected at build 20348.5386.
  • Windows Server 2019 and Windows 10 Version 1809 are corrected at build 17763.9020.
  • Windows Server 2016 and Windows 10 Version 1607 are corrected at build 14393.9339.
  • Windows 10 versions 21H2 and 22H2 are corrected at builds 19044.7548 and 19045.7548.
Windows 11 24H2 and 25H2 receive the fix through KB5101650, which advances the operating systems to builds 26100.8875 and 26200.8875. Microsoft says it is not currently aware of any issues specifically affecting that cumulative update.
Windows Server 2022 receives build 20348.5386 through KB5099540. Microsoft has documented a separate known issue in that update involving a limited set of systems with BitLocker enabled, explicit PCR7 validation configured, and incompatible Secure Boot binding conditions; administrators should review that deployment warning before broad rollout.
Windows Server 2019 and Windows 10 Enterprise LTSC 2019 receive build 17763.9020 through KB5099538. As usual for cumulative Windows servicing, installing the July update also applies the month’s other security fixes and quality changes rather than delivering a standalone SMB-only patch.

A Medium Score Does Not Make the Leak Harmless​

CVE-2026-54997 sits below the emergency-patching threshold normally associated with unauthenticated remote code execution. It requires local access, provides no direct privilege escalation, and had no public exploit or observed attacks at publication. Those constraints explain its 5.5 CVSS score.
The vulnerability is nevertheless relevant to environments where low-privilege access is common or deliberately shared. Remote Desktop Session Host systems, jump servers, virtual desktop infrastructure, administrative utility servers, development machines, and multi-user Windows Server installations all place multiple security contexts on the same operating system.
On those systems, the requirement for an “authorized attacker” is less comforting than it sounds. It means the attacker must already possess some access, not that the attacker is authorized to obtain the information exposed by the flaw.
Security teams should also consider CVE-2026-54997 as a possible component in an exploit chain. A memory disclosure that reveals useful process or kernel information can reduce uncertainty for a second vulnerability, while a compromised low-privilege account may use the leak during discovery or credential-access activity. Microsoft has not said that such a chain is known, but the high confidentiality impact justifies patching the issue rather than dismissing it as an inconsequential data leak.
This is also why perimeter controls are not a substitute for the update. Blocking inbound SMB from the internet remains sound practice, but CVE-2026-54997 uses a local attack vector. Disabling SMB externally, filtering port 445, or requiring SMB signing does not address the underlying use of an uninitialized resource inside Windows.

Patch Verification Should Focus on Builds​

Organizations can deploy the July cumulative updates through Windows Update, Windows Update for Business, Microsoft Intune, Windows Server Update Services, Configuration Manager, or the Microsoft Update Catalog. Existing staged-deployment procedures remain appropriate because Microsoft has not identified active exploitation that would require bypassing normal validation.
Administrators should verify the resulting OS build rather than relying solely on a successful installation status. winver, the Settings app, PowerShell inventory, endpoint-management reports, and vulnerability-management platforms can all confirm whether machines have reached the fixed build for their Windows branch.
The practical deployment sequence is straightforward:
  • Prioritize shared Windows servers and endpoints where untrusted or lightly trusted users can obtain local sessions.
  • Test the full July cumulative update against file services, backup agents, storage integrations, and endpoint security products.
  • Confirm that supported systems reach the fixed build and investigate devices that remain below it.
  • Treat unsupported Windows installations as exposed unless they are covered by an applicable Extended Security Updates program.
CVE-2026-54997 is not an SMB worm, an anonymous file-server takeover, or a reason to disable Windows file sharing across an enterprise. It is a confirmed local information leak with low attack complexity and potentially high confidentiality impact, now corrected in the July 14, 2026 cumulative updates. The decisive control is getting affected Windows clients and servers onto their patched builds before an attacker can combine an ordinary foothold with the SMB disclosure.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top