CVE-2026-58632: Install July Updates to Fix Windows Win32K EoP

Microsoft’s July 14, 2026 security updates fix CVE-2026-58632, a high-severity elevation-of-privilege flaw in the Windows Win32 Kernel Subsystem that could allow a locally authenticated attacker to obtain much broader control of an affected PC or server. The vulnerability is a use-after-free memory-management bug in Win32K, the kernel-side subsystem behind much of Windows’ graphical interface and windowing support.
Microsoft assigned the vulnerability a CVSS 3.1 score of 7.8, rated High, with a vector that requires local access and low privileges but no user interaction. In practical terms, this is not a drive-by or network-reachable vulnerability: an attacker must already be able to run code as a user on the target system. But a successful exploit could compromise confidentiality, integrity, and availability, making it a potentially valuable second-stage tool after malware, credential theft, or an initial foothold.
The Microsoft Security Response Center published CVE-2026-58632 as part of the July 2026 Patch Tuesday release. NIST’s National Vulnerability Database reflects Microsoft’s description and categorizes the issue as CWE-416, the standard weakness classification for use-after-free flaws.

A glowing cybersecurity shield blocks malware threats while protecting computers, laptops, and a central server.The important distinction: local access is not a safety net​

Windows elevation-of-privilege bugs are routinely misunderstood because they do not begin with unauthenticated remote access. A low-privilege account is still a meaningful security boundary in a managed environment: it should not be enough for a standard user, a malicious document payload, or a compromised application to become SYSTEM.
CVE-2026-58632 matters precisely because Win32K runs in a privileged part of Windows. A use-after-free condition means code can continue to use an object after the memory assigned to it has been released and potentially reused. In a kernel subsystem, that class of error can create an opening for memory corruption and privilege escalation if an attacker can reliably shape the resulting state.
Microsoft’s scoring says exploitation requires low privileges, not administrator rights. That distinction should drive triage. A workstation where users can run arbitrary executables, a Remote Desktop Session Host, or a server where an application service account has an interactive or local execution path presents more concern than a tightly locked-down appliance-like workload.
The currently available public record does not indicate known exploitation. CISA’s Stakeholder-Specific Vulnerability Categorization entry marks exploitation as “none” and automation as “no,” while assigning “total” technical impact if exploitation succeeds. That is a useful snapshot of the threat picture on July 15, not a reason to defer routine patching: public exploitation status can change rapidly once a Windows cumulative update gives researchers and attackers patched-versus-unpatched code to compare.

Microsoft lists a broad set of supported Windows releases​

According to Microsoft’s affected-product data, CVE-2026-58632 spans more than the current Windows 11 branch. The vulnerability affects Windows 10 servicing releases, Windows 11 24H2, 25H2, and 26H1, plus several Windows Server versions.
The key fixed build thresholds are:
  • Windows 10 version 1607 and Windows Server 2016 need OS Build 14393.9339 or later.
  • Windows 10 version 1809 and Windows Server 2019 need OS Build 17763.9020 or later.
  • Windows 10 version 21H2 and 22H2 need OS Build 19044.7548 or 19045.7548, respectively.
  • Windows 11 version 24H2 needs OS Build 26100.8875 or later.
  • Windows 11 version 25H2 is covered by the July package carrying OS Build 26200.8875.
  • Windows 11 version 26H1 needs OS Build 28000.2525 or later.
  • Windows Server 2022 needs OS Build 20348.5386 or later.
  • Windows Server 2025 needs OS Build 26100.33158 or later.
The affected list also includes Server Core installations where applicable. That is important for administrators who treat Server Core as inherently lower risk because of its reduced interface surface: fewer installed components can reduce exposure in general, but a kernel-level flaw listed for the operating system still requires the same update discipline.
One wrinkle is worth noting. Microsoft’s affected-product entry names Windows 11 versions 24H2, 25H2, and 26H1, but does not name desktop Windows 11 version 23H2 for this CVE. Microsoft did release the July 14 cumulative update KB5099414 for Windows 11 23H2, but administrators should not assume that every vulnerability addressed by a monthly Windows release applies to every supported branch.

The July cumulative updates are the remediation path​

For mainstream Windows 11 24H2 and 25H2 systems, the relevant cumulative update is KB5101650, released July 14. It advances Windows 11 24H2 to Build 26100.8875 and Windows 11 25H2 to Build 26200.8875. Microsoft’s release notes identify the package as containing the July security fixes.
Windows 10 Enterprise LTSC 2021, Windows 10 IoT Enterprise LTSC 2021, and Windows 10 systems receiving Extended Security Updates use KB5099539, which brings versions 21H2 and 22H2 to Builds 19044.7548 and 19045.7548. Organizations should use their normal Windows Update for Business, WSUS, Configuration Manager, Intune, or equivalent deployment process rather than attempting to locate an isolated Win32K patch; this is a cumulative Windows servicing release.
For endpoint teams, verification should be based on the installed OS build after the deployment succeeds, not merely on whether the update was offered. winver, Settings’ Windows Update history, inventory platforms, and device-management compliance reports can all establish whether a machine crossed the fixed build threshold.

Patch testing needs one extra networking check​

CVE-2026-58632 itself has no published workaround. Installing the appropriate July cumulative update is the fix. Yet this month’s Windows updates bring a separate compatibility consideration that deserves pre-deployment review in organizations with older networking products.
Microsoft says Windows security updates released on or after July 14 enforce registration requirements for third-party Transport Driver Interface, or TDI, transports. Applications using sockets through an unregistered third-party TDI transport may stop functioning after the update. Registered transports are not affected.
This is unlikely to affect typical consumer PCs, but it could matter for legacy security software, network monitoring components, proprietary VPN stacks, or specialized line-of-business software. Microsoft’s guidance says administrators can identify an affected transport through the Windows System log, looking for AFD Event ID 16003 reporting an unregistered TDI provider.
That compatibility issue is not a reason to leave vulnerable devices unpatched indefinitely. It is a reason to use a phased deployment: test representative legacy workloads, inspect System event logs, confirm critical connectivity, and have the vendor or application owner identify whether a supported transport update exists. Microsoft provides a temporary mitigation control for the TDI enforcement while organizations bring dependencies into compliance, but calls the hardening intentional.

Privilege escalation still belongs in the near-term queue​

CVE-2026-58632 is not being presented as an actively exploited zero-day, and its local attack requirement makes it less urgent than a critical unauthenticated remote-code-execution flaw. Still, the flaw crosses a boundary defenders rely on every day: the difference between an ordinary local foothold and privileged control of Windows.
For home users, the immediate action is straightforward: install the July 14 cumulative update and restart when prompted. For IT teams, the practical target is equally clear—bring affected Windows clients and servers to Microsoft’s fixed build levels, while testing for the TDI transport behavior change in environments that still carry legacy network drivers.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top