CVE-2026-56168: Patch Windows SMB Server DoS With July Updates

CVE-2026-56168 is a Windows SMB Server denial-of-service vulnerability that can let an authenticated attacker crash or disrupt a vulnerable SMB service over the network. Microsoft fixed the flaw in its July 14, 2026 security updates, making patch deployment the primary action for administrators running affected Windows Server and client systems.
Detailed in Microsoft’s Security Update Guide, the vulnerability is caused by a null pointer dereference in Windows SMB Server. Microsoft rates it Important with a CVSS 3.1 base score of 6.5, reflecting a network-accessible attack that requires low complexity, no user interaction, and some existing privileges.
The National Vulnerability Database lists Microsoft as the assigning authority and identifies the weakness as CWE-476. NVD enrichment was still pending on July 15, but the underlying vulnerability, affected-version data, and technical classification have been confirmed by Microsoft rather than inferred from an unverified third-party report.

Cybersecurity illustration showing SMB TCP 445 traffic, a vulnerable server, firewall protection, and CVE-2026-56168.Authentication Keeps This Below Critical​

The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. In practical terms, an attacker can reach the vulnerable component across a network and does not need to persuade a user to open a document, click a link, or run a program.
The important constraint is PR:L: the attacker must already be authorized at a low privilege level. CVE-2026-56168 is therefore not an unauthenticated SMB worm scenario like the vulnerabilities associated with the WannaCry era, nor does Microsoft describe it as a path to remote code execution.
That distinction lowers the likelihood of indiscriminate Internet-wide attacks, but it does not remove the enterprise risk. A compromised domain account, service credential, contractor login, or other permitted SMB identity could reportedly be used to trigger the vulnerable code path. Environments with broad internal file-sharing access give an attacker more systems against which to test that capability.
Successful exploitation affects availability rather than confidentiality or integrity. Microsoft’s score assigns no impact to data disclosure or modification, but gives availability the maximum value. For a file server, clustered application dependency, profile host, backup repository, or departmental share, that disruption can still become an operational incident.
Microsoft has not reported active exploitation, and the CISA assessment attached to the public CVE record listed exploitation as none as of July 14. There is also no indication in the available advisories that working proof-of-concept code has been released publicly.

July Updates Establish the Patched Baseline​

Microsoft’s affected-version data covers Windows 10, three current Windows 11 releases, Windows Server 2022, and Windows Server 2025. Systems at or above the July build thresholds are no longer listed as vulnerable to CVE-2026-56168.
The relevant July 14 update baselines are:
  • Windows 10 version 21H2 and version 22H2 receive KB5099539, moving systems to builds 19044.7548 and 19045.7548 respectively.
  • Windows 11 version 24H2 and version 25H2 receive KB5101650, bringing both servicing branches to build revision 8875.
  • Windows 11 version 26H1 receives KB5101649 and moves to OS build 28000.2525.
  • Windows Server 2022 receives KB5099540 and moves to OS build 20348.5386.
  • Windows Server 2025 receives KB5099536 and moves to OS build 26100.33158, including Server Core installations.
Microsoft’s CVE record describes Windows 11 26H1 builds earlier than 28000.2269 as affected, while the July cumulative update advances the release further to 28000.2525. Administrators should use the installed July cumulative update and its resulting build—not merely the minimum version boundary in vulnerability-scanner metadata—as the clearest evidence that remediation has been deployed.
Windows Server deserves priority because it is more likely to have the SMB Server service intentionally exposed to multiple users and applications. Client editions can also act as SMB servers when file or printer sharing is enabled, however, so Windows 11 workstations should not automatically be excluded from vulnerability-management queries.
The Windows 10 entries require additional attention. Windows 10 version 22H2 reached the end of normal support on October 14, 2025, meaning eligible machines now depend on Extended Security Updates to receive patches such as KB5099539. Windows 10 Enterprise LTSC 2021 and IoT Enterprise LTSC 2021 remain on their respective servicing timelines, but unsupported consumer machines should not be assumed to receive this protection automatically.

SMB Exposure Is an Internal-Security Question​

Blocking TCP port 445 at the Internet perimeter remains basic defensive hygiene, but CVE-2026-56168 cannot be treated solely as an external exposure problem. Its authentication requirement makes lateral movement and insider-access paths more relevant than anonymous probing from outside the organization.
Administrators should identify machines accepting SMB connections, then compare that inventory against business need. File servers, domain infrastructure, Windows clusters, deployment services, profile systems, backup platforms, and workstations with administrative shares may all appear in that result, but they do not carry equal operational importance.
Network segmentation can reduce the number of authenticated identities capable of reaching high-value SMB servers. Firewall rules should limit TCP 445 to approved management networks, application tiers, and user segments rather than allowing unrestricted east-west access. Disabling SMB Server or Windows file sharing on endpoints that do not require it further reduces the reachable surface.
Monitoring should focus on unexpected SMB connection attempts followed by service instability, server restarts, dropped file sessions, or repeated failures associated with one account or source host. A denial-of-service event may leave less obvious evidence than file theft or malware execution, so Windows event collection and network telemetry become important for distinguishing exploitation from an ordinary service fault.
Organizations should also review service accounts with broad file-share access. The low-privilege requirement does not necessarily mean an interactive employee account; credentials embedded in scheduled tasks, scripts, appliances, or line-of-business applications may provide sufficient authorization if compromised.

Patch Testing Still Has July-Specific Complications​

The cumulative nature of Windows servicing means there is no standalone CVE-2026-56168 package to deploy. Installing the corresponding July cumulative update also introduces the month’s reliability fixes, security hardening, and any documented compatibility changes.
On Windows Server 2022, Microsoft warns that a limited set of devices using an unrecommended BitLocker Group Policy configuration may request the BitLocker recovery key after the first restart. Administrators should verify recovery-key availability and review the TPM platform validation profile policy before broad deployment rather than using the warning as a reason to leave SMB servers exposed.
Microsoft also documents a July networking hardening change that enforces registration requirements for third-party Transport Driver Interface transports. Applications using sockets over unregistered third-party TDI transports may stop working after the update, while registered transports are not affected. That issue is separate from CVE-2026-56168, but it belongs in the same change window and could complicate troubleshooting after rollout.
Some Dell systems with Intel processors may not immediately be offered KB5101650 because of a reported compatibility issue involving shutdowns, heat, performance, and battery consumption. Where Microsoft or an OEM has placed an update safeguard, administrators should not bypass it casually; affected endpoints instead need compensating controls around SMB exposure until the package is offered safely.
For server deployments, a staged rollout remains appropriate, but the test cycle should be measured in hours or a few days rather than left open-ended. Validate file access, clustered workloads, backup jobs, authentication, third-party network software, and reboot behavior, then move rapidly through production groups.
The actionable endpoint is the installed July 14, 2026 cumulative update and its documented OS build. CVE-2026-56168 is not currently an exploited zero-day, but its combination of network reachability, low attack complexity, and high availability impact makes unpatched SMB servers an avoidable disruption risk once an attacker has obtained valid credentials.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: tomshardware.com
 

Back
Top