Microsoft’s July 14, 2026 security updates address CVE-2026-57090, a critical Windows Media Foundation remote code execution vulnerability that can be triggered over a network if an attacker can persuade a user to interact with malicious media content. Windows 11 24H2 and 25H2 systems receive the relevant fixes through KB5101650, which advances those releases to OS Builds 26100.8875 and 26200.8875.
Microsoft describes the flaw as a heap-based buffer overflow in Windows Media Foundation. The company assigned it a CVSS 3.1 score of 8.8, while listing the issue as Critical in its July Security Update Guide. NIST’s National Vulnerability Database, which is still awaiting its own enrichment of the record, reflects Microsoft’s supplied description, CWE-122 classification, and vector: network-reachable, low attack complexity, no privileges required, but user interaction required.
That last detail matters. CVE-2026-57090 is not presented as a wormable network service flaw that can compromise an unpatched PC merely because it is connected to a network. The attack path still requires a victim to open or otherwise process attacker-controlled media through a vulnerable Windows Media Foundation path. But it also does not require a local account or elevated permissions before the initial exploit attempt.
Microsoft published the CVE on July 14 as part of an unusually large Patch Tuesday release. BleepingComputer’s review of the release identified CVE-2026-57090 as one of several Media Foundation remote-code-execution issues fixed this month, alongside CVE-2026-57087, CVE-2026-57094, and CVE-2026-56189. For administrators, that clustering is the more useful operational signal: this is not a one-off codec issue to defer casually while the rest of the month’s update is evaluated.
The CVSS vector for CVE-2026-57090 is
For Windows users, that interaction could plausibly take the familiar forms associated with media parsing bugs: opening a file delivered by email, visiting a page that invokes vulnerable content, or previewing media through an application that relies on the affected Windows framework. Microsoft has not published an exploit narrative, proof of concept, affected file format, or specific application trigger for this CVE, so administrators should resist filling in those blanks with assumptions.
The absence of public technical detail is not a reason to downgrade the patch. It is a reason to focus controls where they help most: patch deployment, attachment filtering, web protection, application-control policies, and reduced local privilege. A successful remote-code-execution exploit runs in the context of the user who opens the content; standard-user deployments can therefore reduce the damage an attacker can do after initial code execution, even though they do not prevent the vulnerability itself.
Enterprise estates can encounter Media Foundation through browsers, conferencing clients, line-of-business software, digital-signage packages, media-management tools, and custom applications built on Windows multimedia APIs. The practical question is not whether a user launches a traditional media player. It is whether a workflow accepts or renders untrusted media on a Windows endpoint.
That distinction should also inform triage. A locked-down server that never processes user-supplied audio or video may have a different exposure profile from a shared workstation used to review customer uploads or a creative-production endpoint that handles media from outside the organization. The security update should still be deployed to all supported affected Windows systems, but rollout urgency can be weighted toward endpoints where externally sourced files are routinely opened.
Microsoft’s current public data does not identify CVE-2026-57090 as actively exploited or publicly disclosed before the patch release. NVD’s entry similarly contains Microsoft’s initial record but no independent technical enrichment. That is useful context, not an exemption from patching: vulnerabilities with low-complexity, no-privilege attack paths tend to become more attractive once researchers and attackers can compare patched and unpatched binaries.
Organizations should verify successful installation rather than simply confirming that the update was approved. On current Windows 11 deployments, KB5101650 corresponds to:
This is especially important for WSUS and Configuration Manager environments. A system can appear “patched” in a dashboard while still missing the security update because of a declined superseding update, an expired servicing stack dependency, a failed reboot, an update-ring hold, or a device stuck on an unsupported Windows release. Endpoint reporting should check installed KBs or OS build numbers after the deployment window.
Those details justify normal ring-based deployment discipline, particularly in organizations with specialized networking stacks or the affected Dell hardware. They do not justify leaving general user workstations exposed while a lengthy application-certification cycle runs. The more defensible approach is to test the update immediately on representative systems, validate media-heavy and network-dependent workloads, and then accelerate broad rollout unless a concrete compatibility failure emerges.
Security teams should also keep an eye on devices that are not receiving the July update because of policy deferrals, feature-update support boundaries, or hardware-related safeguards. A Media Foundation attack needs an interaction, which means socially engineered attachments and downloads remain central to the risk. Endpoint protection and email controls are valuable compensating layers during rollout, but they are not substitutes for remediating a memory-safety flaw in the operating system.
CVE-2026-57090’s public record is still sparse, and that uncertainty is precisely why the July update should be treated as a deployment task rather than a research project. For Windows 11 24H2 and 25H2 estates, the immediate checkpoint is KB5101650 and builds 26100.8875 or 26200.8875; for every other supported release, it is the corresponding July 14 cumulative update successfully installed and rebooted.
Microsoft describes the flaw as a heap-based buffer overflow in Windows Media Foundation. The company assigned it a CVSS 3.1 score of 8.8, while listing the issue as Critical in its July Security Update Guide. NIST’s National Vulnerability Database, which is still awaiting its own enrichment of the record, reflects Microsoft’s supplied description, CWE-122 classification, and vector: network-reachable, low attack complexity, no privileges required, but user interaction required.
That last detail matters. CVE-2026-57090 is not presented as a wormable network service flaw that can compromise an unpatched PC merely because it is connected to a network. The attack path still requires a victim to open or otherwise process attacker-controlled media through a vulnerable Windows Media Foundation path. But it also does not require a local account or elevated permissions before the initial exploit attempt.
Microsoft published the CVE on July 14 as part of an unusually large Patch Tuesday release. BleepingComputer’s review of the release identified CVE-2026-57090 as one of several Media Foundation remote-code-execution issues fixed this month, alongside CVE-2026-57087, CVE-2026-57094, and CVE-2026-56189. For administrators, that clustering is the more useful operational signal: this is not a one-off codec issue to defer casually while the rest of the month’s update is evaluated.
The “network” rating does not eliminate the user from the attack chain
The CVSS vector for CVE-2026-57090 is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, an attacker can reach the vulnerable code path remotely, needs no credentials, and faces low technical complexity once a working exploit exists. The UI:R component, however, says an interaction is required.For Windows users, that interaction could plausibly take the familiar forms associated with media parsing bugs: opening a file delivered by email, visiting a page that invokes vulnerable content, or previewing media through an application that relies on the affected Windows framework. Microsoft has not published an exploit narrative, proof of concept, affected file format, or specific application trigger for this CVE, so administrators should resist filling in those blanks with assumptions.
The absence of public technical detail is not a reason to downgrade the patch. It is a reason to focus controls where they help most: patch deployment, attachment filtering, web protection, application-control policies, and reduced local privilege. A successful remote-code-execution exploit runs in the context of the user who opens the content; standard-user deployments can therefore reduce the damage an attacker can do after initial code execution, even though they do not prevent the vulnerability itself.
Media Foundation is infrastructure, not just a media-player feature
Windows Media Foundation is a platform component used for audio and video capture, playback, encoding, decoding, streaming, and related media operations. That makes the exposure broader and less obvious than a bug confined to a single app such as Windows Media Player.Enterprise estates can encounter Media Foundation through browsers, conferencing clients, line-of-business software, digital-signage packages, media-management tools, and custom applications built on Windows multimedia APIs. The practical question is not whether a user launches a traditional media player. It is whether a workflow accepts or renders untrusted media on a Windows endpoint.
That distinction should also inform triage. A locked-down server that never processes user-supplied audio or video may have a different exposure profile from a shared workstation used to review customer uploads or a creative-production endpoint that handles media from outside the organization. The security update should still be deployed to all supported affected Windows systems, but rollout urgency can be weighted toward endpoints where externally sourced files are routinely opened.
Microsoft’s current public data does not identify CVE-2026-57090 as actively exploited or publicly disclosed before the patch release. NVD’s entry similarly contains Microsoft’s initial record but no independent technical enrichment. That is useful context, not an exemption from patching: vulnerabilities with low-complexity, no-privilege attack paths tend to become more attractive once researchers and attackers can compare patched and unpatched binaries.
July’s cumulative updates are the fix, not a standalone Media Foundation package
For Windows 11 version 24H2 and version 25H2, Microsoft’s July 14 cumulative update is KB5101650. Microsoft says the package contains the July 2026 security fixes and is distributed through Windows Update, Windows Update for Business, Windows Server Update Services, and the Microsoft Update Catalog.Organizations should verify successful installation rather than simply confirming that the update was approved. On current Windows 11 deployments, KB5101650 corresponds to:
- Windows 11 version 24H2, OS Build 26100.8875.
- Windows 11 version 25H2, OS Build 26200.8875.
This is especially important for WSUS and Configuration Manager environments. A system can appear “patched” in a dashboard while still missing the security update because of a declined superseding update, an expired servicing stack dependency, a failed reboot, an update-ring hold, or a device stuck on an unsupported Windows release. Endpoint reporting should check installed KBs or OS build numbers after the deployment window.
The patch should move ahead of ordinary user-experience testing
KB5101650 carries more than security fixes, including a networking hardening change involving third-party TDI transports and changes around Secure Boot certificate deployment. Microsoft’s release notes also describe a temporary availability hold for a limited group of Dell systems with Intel processors after reports of potential shutdowns, heat, performance, and battery-drain symptoms.Those details justify normal ring-based deployment discipline, particularly in organizations with specialized networking stacks or the affected Dell hardware. They do not justify leaving general user workstations exposed while a lengthy application-certification cycle runs. The more defensible approach is to test the update immediately on representative systems, validate media-heavy and network-dependent workloads, and then accelerate broad rollout unless a concrete compatibility failure emerges.
Security teams should also keep an eye on devices that are not receiving the July update because of policy deferrals, feature-update support boundaries, or hardware-related safeguards. A Media Foundation attack needs an interaction, which means socially engineered attachments and downloads remain central to the risk. Endpoint protection and email controls are valuable compensating layers during rollout, but they are not substitutes for remediating a memory-safety flaw in the operating system.
CVE-2026-57090’s public record is still sparse, and that uncertainty is precisely why the July update should be treated as a deployment task rather than a research project. For Windows 11 24H2 and 25H2 estates, the immediate checkpoint is KB5101650 and builds 26100.8875 or 26200.8875; for every other supported release, it is the corresponding July 14 cumulative update successfully installed and rebooted.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com - Related coverage: techradar.com
Microsoft quietly patches LNK vulnerability that's been weaponized for years | TechRadar
The November Patch Tuesday fixed an age-old bugwww.techradar.com - Official source: support.microsoft.com
July 14, 2026—KB5101650 (OS Builds 26200.8870 and 26100.8875) | Microsoft Support
July 14, 2026—KB5101650 (OS Builds 26200.8870 and 26100.8875)support.microsoft.com