CVE-2026-56186: Install July Updates to Fix Windows Schannel Leak

Microsoft’s July 14, 2026 security updates fix CVE-2026-56186, a Windows Secure Channel, or Schannel, information disclosure vulnerability rated 8.1 High. The flaw is an out-of-bounds read in the Windows TLS/SSL implementation and can allow an authorized attacker to disclose information over a network, according to Microsoft’s CVE record as mirrored by the National Vulnerability Database.
For administrators, the immediate action is straightforward: deploy the July cumulative update appropriate to each supported Windows release, then verify that devices have reached the corrected build. This is not currently reported as exploited in the wild, but the network attack vector, low attack complexity, and breadth of affected Windows client and server releases make it a patch-management priority rather than a vulnerability to leave for a routine monthly catch-up.
Microsoft published the advisory at 7:00 a.m. Pacific time on July 14, the same day as its July Patch Tuesday release. The NVD lists the weakness as CWE-125, out-of-bounds read, and records Microsoft as the CNA providing the technical details and severity assessment.

Cybersecurity infographic showing a patched Windows Secure Channel vulnerability and enterprise update deployment.The risk sits in Windows’ TLS plumbing​

Schannel is Windows’ built-in Secure Channel provider: the component applications and services can use for SSL and TLS communications. That makes CVE-2026-56186 less about a single end-user app and more about the shared security plumbing underneath HTTPS-capable Windows workloads, service-to-service traffic, authentication flows, and other encrypted network connections.
Microsoft’s public description is deliberately brief. It says an out-of-bounds read in Windows Schannel allows an authorized attacker to disclose information over a network. It does not identify the vulnerable code path, affected protocol versions, prerequisite service configuration, or the precise nature of information exposed.
That restraint is normal at release time, but it matters when interpreting the score. An out-of-bounds read can expose data that should remain outside a process’s intended memory boundary. It should not be casually translated into “TLS encryption is broken” or “an unauthenticated internet attacker can read all HTTPS traffic.” Microsoft has not made either claim.
The CVSS 3.1 vector supplied by Microsoft is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. In practical terms, the rating assumes a network-reachable target, low attack complexity, and no user interaction, but it also requires low-level privileges. Confidentiality and availability are scored High, while integrity is not affected.
That last point is worth noting. The advisory headline says information disclosure, yet Microsoft’s vector also assigns a High availability impact. That is a signal that the faulty read may be capable of destabilizing an affected process or service under some conditions, even though the named security impact is data disclosure. It is not evidence of remote code execution.

Patch status: build numbers provide the clearest test​

Microsoft’s security metadata identifies a wide set of affected Windows releases, including Windows 10, Windows 11, and supported Windows Server versions. The fixed build threshold is the useful operational measure: systems below it remain affected; systems at or above it include the July fix.
For the mainstream desktop estate, the key July releases are:
  • Windows 11 version 24H2 is fixed in OS Build 26100.8875 through KB5101650.
  • Windows 11 version 25H2 is fixed in OS Build 26200.8875 through KB5101650.
  • Windows 10 version 21H2 and version 22H2 are fixed in OS Builds 19044.7548 and 19045.7548 through KB5099539.
  • Windows Server 2022 is fixed in OS Build 20348.5386 through KB5099540.
Microsoft’s affected-product data also includes Windows 10 version 1607 and Windows Server 2016 below build 14393.9339, plus Windows 10 version 1809 and Windows Server 2019 below build 17763.9020. Windows Server 2012 and Windows Server 2012 R2 are listed as affected where Extended Security Updates still apply, with fixed build thresholds of 9200.26226 and 9600.23291, respectively.
Windows Server 2025 and Server Core are also in scope. Organizations should not assume that a server’s lack of direct internet exposure removes the urgency: network-reachable does not necessarily mean publicly reachable. East-west exposure, internal reverse proxies, authentication services, application gateways, management planes, and line-of-business services can all put Schannel in play.
Microsoft’s July Windows update documentation says the cumulative updates are available through Windows Update, Windows Update for Business, Windows Server Update Services, and the Microsoft Update Catalog. In managed environments, the practical goal is to confirm successful installation rather than merely approving the KB in WSUS or an endpoint-management platform.

“Authorized attacker” changes the triage, not the remediation​

The requirement for privileges is an important mitigating factor. CVE-2026-56186 is not described as a wormable Schannel bug, an unauthenticated pre-auth server compromise, or a client-side drive-by attack. It requires an attacker to have some level of authorized access first.
But that condition should not be over-read as harmless. Low-privilege access is a common post-compromise state: a standard domain account, a constrained service account, an account obtained through phishing, or a foothold on a segmented internal network may be enough to satisfy a vulnerability’s privilege requirement. In those scenarios, an information disclosure flaw can become a useful stepping stone for credential theft, service disruption, or further lateral movement.
CISA’s Stakeholder-Specific Vulnerability Categorization entry, recorded in the NVD change history on July 14, classifies exploitation as “none,” automation as “no,” and technical impact as “partial.” That is useful prioritization context, not a guarantee that exploit code will not appear. It means there was no known exploitation signal in that assessment and the available technical information did not support treating it as broadly automatable.
SANS Internet Storm Center’s July 14 Patch Tuesday listing likewise showed no public disclosure and no known exploitation indicators for CVE-2026-56186 at the time of publication. The absence of a proof of concept is particularly relevant because Microsoft has disclosed only the vulnerability class and broad attack conditions, not a recipe for triggering it.

Test the update, not just the vulnerability​

July’s cumulative updates carry changes beyond this one CVE. Microsoft’s release notes also document networking hardening around third-party Transport Driver Interface transports, Secure Boot certificate delivery work, and Remote Desktop publisher certificate changes. Those are separate from CVE-2026-56186, but they reinforce the case for a disciplined deployment rather than an indiscriminate rush across every production ring.
For Windows 11 24H2 and 25H2, Microsoft has also placed a compatibility hold on KB5101650 for a limited number of Dell devices with Intel processors after Dell reported potential shutdowns, performance degradation, increased heat, and battery drain. Administrators with affected hardware should follow Microsoft’s hold and Dell-specific guidance rather than bypassing safeguards simply to obtain this single fix.
A sensible enterprise sequence is to deploy to an expedited pilot ring containing representative TLS-dependent workloads, validate application connectivity and service health, and then advance through standard production rings. Prioritize systems that terminate TLS, serve internal web applications, broker remote access, use Windows-integrated authentication, or expose Schannel-backed services to less-trusted network segments.
For systems that cannot receive the update immediately, compensating controls can reduce exposure but do not replace the fix. Restricting access to affected services, enforcing least privilege for service and user accounts, limiting lateral movement, and monitoring anomalous TLS-service failures are reasonable short-term steps. Disabling Schannel wholesale is not a practical workaround for most Windows environments and may break far more than it protects.
The key checkpoint is now concrete: Windows 11 24H2 devices should report build 26100.8875 or later, Windows 11 25H2 should report 26200.8875 or later, and Windows 10 ESU or LTSC estates should reach 19044.7548 or 19045.7548. Until Microsoft releases deeper technical detail—or researchers publish validated analysis—those patched build levels are the most reliable line between an affected Schannel installation and a remediated one.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top