CVE-2026-57096 RRAS Privilege Escalation Fixed in July Updates

Microsoft’s July 14 security updates fix CVE-2026-57096, a high-severity elevation-of-privilege flaw in Windows Routing and Remote Access Service (RRAS) that could let an authenticated local attacker gain higher permissions on an affected machine. The issue is a heap-based buffer overflow, carries a CVSS 3.1 score of 7.8, and is addressed through this month’s cumulative Windows updates.
Microsoft’s Security Update Guide rates the vulnerability Important, not Critical, and its exploitability assessment says exploitation is less likely. The company also reports no public disclosure and no detected exploitation as of July 15. That makes this a patch-now issue rather than an incident-response emergency—but RRAS deployments should not let the “local” attack vector turn into a reason to defer.
The National Vulnerability Database, which has logged Microsoft as the CVE’s source, describes the bug plainly: an authorized attacker can exploit a heap-based buffer overflow in RRAS to elevate privileges locally. The NVD has not completed its own enrichment, but it records Microsoft’s CWE-122 classification for heap-based buffer overflow and the full CVSS vector: local access, low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.
BleepingComputer’s July Patch Tuesday coverage lists CVE-2026-57096 among Microsoft’s unusually large July release, which contained 570 fixes. That scale is relevant operationally: this RRAS flaw is one of many reasons to get the monthly cumulative update through validation and deployment, rather than attempting a narrow, one-off remediation.

Cybersecurity analyst monitors a high-risk vulnerability being patched and mitigated across a secured network.A foothold is still required—but it can be enough​

The practical limitation is significant. CVE-2026-57096 is not described as remotely reachable, does not permit unauthenticated intrusion, and does not require a user to open a file or click through a prompt. An attacker needs an existing authorized local position on the Windows device.
That means the vulnerability is most useful as a post-compromise step. A threat actor who arrives through stolen credentials, a malicious installer, a phishing-driven initial-access route, an abused remote-management tool, or a lower-privilege account may be able to convert that access into substantially greater control. Microsoft’s vector assigns high confidentiality, integrity, and availability impact, so a successful exploit could undermine the security boundary administrators expect after an attacker initially lands as a standard user or restricted service identity.
For RRAS hosts, that distinction matters more than it would on an ordinary workstation. RRAS commonly appears on systems that terminate VPN connections, provide routing, support demand-dial links, or deliver network address translation services. Those systems may have privileged network placement, stored connection configuration, certificates, RADIUS integration, and administrative access paths that make privilege escalation especially valuable.
The bug is therefore not an internet-facing RRAS takeover vulnerability. It is a local privilege-escalation weakness on machines that include the affected Windows component. But an attacker rarely needs every stage of an intrusion to be remotely exploitable; chaining a modest foothold with elevation of privilege is a familiar route to full system compromise.

July’s cumulative updates carry the fix​

Microsoft has not published a separate standalone hotfix or workaround for CVE-2026-57096. The remediation is to install the relevant July 14, 2026 security update and reboot where required.
The affected product list is broad, including supported Windows 10 and Windows 11 releases plus Windows Server editions from Windows Server 2012 R2 through Windows Server 2025. Microsoft’s published fixed build thresholds identify the practical patch target:
Product familyJuly 2026 updatePatched build
Windows 10 21H2 and 22H2KB509953919044.7548 / 19045.7548
Windows 10 1809 and Windows Server 2019KB509953817763.9020
Windows 10 1607 and Windows Server 2016KB509953514393.9339
Windows 11 24H2 and 25H2KB510165026100.8875 / 26200.8875
Windows 11 26H1KB510164928000.2525
Windows Server 2022KB509954020348.5386
Windows Server 2025KB509953626100.33158
Windows Server 2012 R2 is also affected, including Server Core installations, and should receive its July servicing update through the organization’s normal Windows Update, WSUS, Configuration Manager, or update-management workflow.
The affected list includes both full Server and Server Core installations where applicable. That is important for administrators who assume an absence of the desktop experience implies a reduced exposure footprint. Server Core reduces many management and application surfaces, but it is not a substitute for servicing the underlying OS components.

RRAS inventory should drive the rollout order​

The most sensible approach is to prioritize hosts where RRAS is intentionally deployed and in use. A rapid inventory can identify the machines most likely to carry operational importance: Windows VPN servers, branch routing servers, legacy NAT gateways, and systems where the Routing and Remote Access role is installed for specialized connectivity.
Administrators should validate the update first on representative RRAS systems, particularly where the service is integrated with Network Policy Server, RADIUS, Active Directory Certificate Services, site-to-site VPNs, or third-party monitoring and endpoint security tools. The vulnerability itself does not come with a published mitigation, so disabling the role merely to avoid patching is generally the wrong first response if that role is business-critical. Apply the cumulative update, restart during the maintenance window, and test the actual services that depend on RRAS.
A focused validation pass should include:
  • Confirming that the RRAS service starts normally after reboot and that configured protocols remain enabled.
  • Testing VPN authentication, address assignment, routing, and name resolution from a representative client.
  • Reviewing Event Viewer for RRAS, RemoteAccess, RasMan, NPS, and certificate-related errors following the update.
  • Verifying the operating-system build number rather than relying only on update deployment status.
That final point matters in estates with servicing-stack issues, deferred restarts, superseded packages, or reporting delays. The fixed build is the clearest endpoint: a Windows 11 24H2 system should report build 26100.8875 or later, while a Windows Server 2022 host should report 20348.5386 or later.

The confidence signal is useful, but not a reason to wait​

Microsoft’s assessment that exploitation is less likely reflects the vulnerability’s known conditions, not an assurance that exploitation is impractical. The documented requirements—local access and low-level privileges—reduce the likelihood of immediate mass attacks compared with an unauthenticated network flaw. They do not reduce the impact of a successful exploit once an adversary is already on a system.
The “no public disclosure” and “not exploited” fields are also snapshots, not permanent properties. Microsoft published CVE-2026-57096 on July 14, 2026; public technical detail remains limited at this early stage. The lack of a public proof of concept buys defenders time, and that time is best spent deploying the July cumulative updates before deeper analysis, reverse engineering, or exploit development changes the risk calculation.
For Windows environments with RRAS in the stack, the immediate task is straightforward: identify the servers, install the July 14 updates, confirm the fixed build, and make sure reboot compliance is real.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top