Microsoft has patched CVE-2026-55144, an Important-rated vulnerability in Windows Cryptography API: Next Generation (CNG) that could let a locally authenticated attacker tamper with protected data and expose confidential information. The fix arrived with the July 14, 2026 security updates for Windows 11 and Windows Server, including KB5101650 for Windows 11 versions 24H2 and 25H2.
Detailed in Microsoft’s Security Update Guide and newly published National Vulnerability Database record, CVE-2026-55144 carries a CVSS 3.1 base score of 7.1. Microsoft says exploitation is less likely and reports no public disclosure or exploitation in the wild, but the potential impact includes a complete loss of confidentiality and integrity for data reached through the vulnerable path.
The practical instruction is straightforward: install the July 2026 cumulative security update, confirm the resulting OS build, and prioritize systems on which local users or service accounts handle sensitive cryptographic material.
Microsoft describes the underlying weakness as a “missing cryptographic step” in Windows CryptoAPI. The vulnerability is classified under CWE-325, which covers situations where software omits a cryptographic operation that is necessary to protect data or enforce its authenticity.
That description is brief, and Microsoft has not published a proof of concept or a detailed account of the affected CNG operation. It does establish that this is not simply a crash or availability problem: an attacker who successfully reaches the vulnerable code could tamper with information and obtain data that should remain confidential.
The CVSS vector is
Those conditions make CVE-2026-55144 more relevant after an attacker has already secured an initial foothold. It is not an unauthenticated, Internet-facing remote-code-execution flaw, but it could reportedly help a low-privileged user or compromised process interfere with cryptographic processing without needing administrative rights.
That distinction matters for enterprise risk scoring. Local attack vector does not mean harmless when shared servers, developer workstations, virtual desktops, jump hosts, or systems running multiple service identities allow less-trusted code to operate beside sensitive workloads.
For Windows 11 versions 24H2 and 25H2, KB5101650 advances systems to builds 26100.8875 and 26200.8875, respectively. The two client releases share a servicing foundation, so Microsoft distributes many security and quality changes through the same cumulative package while retaining separate build branches.
Windows Server 2022 receives the correction through KB5099540, which moves the operating system to build 20348.5386. Both the Desktop Experience and Server Core installations of Windows Server 2025 are listed as affected, making minimal-interface deployments no exception to the patch requirement.
The NVD entry was still awaiting its own enrichment on July 14, meaning its affected-build data and CVSS score were supplied by Microsoft rather than independently calculated by NIST. That does not reduce the status of the vulnerability: Microsoft is the assigning CVE Numbering Authority and has marked the technical report as confirmed.
Administrators should use build compliance rather than merely checking whether Windows Update ran successfully. Endpoint management dashboards can report a device as recently updated while it remains below the corrected build because of a failed installation, deployment deferral, safeguard hold, or pending restart.
That lowers the immediate urgency compared with a remotely exploitable zero-day, but it does not remove the need to patch. CISA assigns the potential technical impact as total, reflecting the high confidentiality and integrity consequences described in Microsoft’s scoring.
The absence of user interaction is also notable. Once an attacker has the required local privileges and can invoke the affected functionality, the CVSS assessment indicates that exploitation does not depend on social engineering another logged-in user.
Microsoft has listed no mitigation or workaround. Organizations that delay the cumulative update therefore cannot rely on a registry change, disabled service, Group Policy setting, or network firewall rule as an equivalent protection.
Existing controls can still reduce the opportunity for exploitation. Application control through Windows Defender Application Control or AppLocker, removal of unnecessary local accounts, strong service-account separation, and restrictions on interactive server logons can make it harder for an attacker to obtain the local execution position the vulnerability requires. Endpoint detection should also treat unexpected cryptographic API access by unfamiliar processes as investigative context, although Microsoft has not published a reliable CVE-specific detection pattern.
Microsoft’s Windows Server 2022 notes warn that a limited number of devices using an unrecommended combination of BitLocker Group Policy settings may request the BitLocker recovery key on the first restart after installing KB5099540. Administrators should confirm that recovery information is escrowed and accessible before deploying broadly to affected server groups.
Deployment rings remain appropriate, but the test period should be bounded. A sensible rollout begins with representative Windows 11 devices and noncritical servers, validates cryptography-dependent applications, then advances to systems hosting certificate services, authentication components, encrypted data workflows, signing tools, or software that directly calls CNG providers.
After installation and restart, administrators should verify the OS build with
CVE-2026-55144 is not currently a zero-day emergency, but its location inside Windows cryptographic plumbing and its high confidentiality and integrity impact make it a poor candidate for an open-ended deferral. The immediate milestone is patched-build coverage: Windows 11 24H2 and 25H2 systems should reach 26100.8875 or 26200.8875, while administrators should confirm the corresponding July 14 build on every affected Windows Server deployment.
Detailed in Microsoft’s Security Update Guide and newly published National Vulnerability Database record, CVE-2026-55144 carries a CVSS 3.1 base score of 7.1. Microsoft says exploitation is less likely and reports no public disclosure or exploitation in the wild, but the potential impact includes a complete loss of confidentiality and integrity for data reached through the vulnerable path.
The practical instruction is straightforward: install the July 2026 cumulative security update, confirm the resulting OS build, and prioritize systems on which local users or service accounts handle sensitive cryptographic material.
A Missing Step Undermines a Security Boundary
Microsoft describes the underlying weakness as a “missing cryptographic step” in Windows CryptoAPI. The vulnerability is classified under CWE-325, which covers situations where software omits a cryptographic operation that is necessary to protect data or enforce its authenticity.That description is brief, and Microsoft has not published a proof of concept or a detailed account of the affected CNG operation. It does establish that this is not simply a crash or availability problem: an attacker who successfully reaches the vulnerable code could tamper with information and obtain data that should remain confidential.
The CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. In practical terms, exploitation requires local access and low privileges, has low attack complexity, and does not require another user to click a file or approve a prompt. Successful exploitation does not directly affect availability, but Microsoft rates both confidentiality and integrity impact as high.Those conditions make CVE-2026-55144 more relevant after an attacker has already secured an initial foothold. It is not an unauthenticated, Internet-facing remote-code-execution flaw, but it could reportedly help a low-privileged user or compromised process interfere with cryptographic processing without needing administrative rights.
That distinction matters for enterprise risk scoring. Local attack vector does not mean harmless when shared servers, developer workstations, virtual desktops, jump hosts, or systems running multiple service identities allow less-trusted code to operate beside sensitive workloads.
Windows 11 and Current Server Releases Need the Fix
The affected-product list currently covers recent Windows 11 releases and two supported Windows Server generations. According to the CVE record submitted by Microsoft, administrators should verify that systems have reached at least these patched build levels:| Product | Patched build |
|---|---|
| Windows 11 version 24H2 | 26100.8875 |
| Windows 11 version 25H2 | 26200.8875 |
| Windows 11 version 26H1 | 28000.2525 |
| Windows Server 2022 | 20348.5386 |
| Windows Server 2025 | 26100.33158 |
| Windows Server 2025 Server Core | 26100.33158 |
Windows Server 2022 receives the correction through KB5099540, which moves the operating system to build 20348.5386. Both the Desktop Experience and Server Core installations of Windows Server 2025 are listed as affected, making minimal-interface deployments no exception to the patch requirement.
The NVD entry was still awaiting its own enrichment on July 14, meaning its affected-build data and CVSS score were supplied by Microsoft rather than independently calculated by NIST. That does not reduce the status of the vulnerability: Microsoft is the assigning CVE Numbering Authority and has marked the technical report as confirmed.
Administrators should use build compliance rather than merely checking whether Windows Update ran successfully. Endpoint management dashboards can report a device as recently updated while it remains below the corrected build because of a failed installation, deployment deferral, safeguard hold, or pending restart.
The Threat Starts After Initial Access
Microsoft’s exploitability assessment lists CVE-2026-55144 as “Exploitation Less Likely.” CISA’s initial Stakeholder-Specific Vulnerability Categorization data similarly records no known exploitation and says the attack is not readily automatable.That lowers the immediate urgency compared with a remotely exploitable zero-day, but it does not remove the need to patch. CISA assigns the potential technical impact as total, reflecting the high confidentiality and integrity consequences described in Microsoft’s scoring.
The absence of user interaction is also notable. Once an attacker has the required local privileges and can invoke the affected functionality, the CVSS assessment indicates that exploitation does not depend on social engineering another logged-in user.
Microsoft has listed no mitigation or workaround. Organizations that delay the cumulative update therefore cannot rely on a registry change, disabled service, Group Policy setting, or network firewall rule as an equivalent protection.
Existing controls can still reduce the opportunity for exploitation. Application control through Windows Defender Application Control or AppLocker, removal of unnecessary local accounts, strong service-account separation, and restrictions on interactive server logons can make it harder for an attacker to obtain the local execution position the vulnerability requires. Endpoint detection should also treat unexpected cryptographic API access by unfamiliar processes as investigative context, although Microsoft has not published a reliable CVE-specific detection pattern.
Patch Testing Should Not Ignore the Cumulative Package
CVE-2026-55144 is delivered as part of a broader Windows cumulative update rather than as a standalone CNG patch. IT teams must consequently evaluate the complete July package, including its security changes, servicing behavior, and documented known issues.Microsoft’s Windows Server 2022 notes warn that a limited number of devices using an unrecommended combination of BitLocker Group Policy settings may request the BitLocker recovery key on the first restart after installing KB5099540. Administrators should confirm that recovery information is escrowed and accessible before deploying broadly to affected server groups.
Deployment rings remain appropriate, but the test period should be bounded. A sensible rollout begins with representative Windows 11 devices and noncritical servers, validates cryptography-dependent applications, then advances to systems hosting certificate services, authentication components, encrypted data workflows, signing tools, or software that directly calls CNG providers.
After installation and restart, administrators should verify the OS build with
winver, PowerShell inventory, Microsoft Intune, Configuration Manager, Windows Update for Business reports, or their vulnerability-management platform. Scanners should be checked for build-based detection because no public exploit test is necessary to determine exposure.CVE-2026-55144 is not currently a zero-day emergency, but its location inside Windows cryptographic plumbing and its high confidentiality and integrity impact make it a poor candidate for an open-ended deferral. The immediate milestone is patched-build coverage: Windows 11 24H2 and 25H2 systems should reach 26100.8875 or 26200.8875, while administrators should confirm the corresponding July 14 build on every affected Windows Server deployment.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com