Microsoft on July 14, 2026, released a security update that addresses a vulnerability in the Windows Trusted Runtime Interface Driver which could allow an authenticated local attacker to expose sensitive system information. Rated high for confidentiality impact with a CVSS score of 5.5, CVE-2026-50350 is a low-complexity threat that requires no user interaction, prompting swift patch deployment, especially on multi-user workstations and servers.
What Microsoft Fixed: The CVE-2026-50350 Vulnerability
The flaw resides in the Windows Trusted Runtime Interface Driver, an internal component that Microsoft says could be abused to read information that the attacker should not normally have access to. This is a classic information-disclosure bug, categorized under CWE-200. The CVSS vector string (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates that the attack is local, with low attack complexity and low privileges required, but the confidentiality impact is high. There is no impact to integrity or availability, meaning the vulnerability cannot be used to modify data or crash the system.
Importantly, exploitation requires the attacker to already have authenticated access to the target machine with at least low-level privileges. That could happen through malware, compromised credentials, or other vulnerabilities that grant local execution. While not a remote-code-execution flaw, the high confidentiality impact makes it attractive for attackers looking to gather intelligence or set up more damaging attacks.
The Rollout: Which Updates Fix the Flaw
Microsoft distributed the fix through its July 2026 monthly security release. Because the vulnerability affects multiple Windows versions, the specific updates and resulting build numbers vary. Admins and power users should verify that their machines have reached or exceeded the corrected builds after applying the patches. Installing the latest cumulative update for your version will typically bring you past the vulnerable range.
Here’s the matrix of affected products and their fixed builds:
| Windows Version | Required Update KB | Fixed Build Number |
|---|---|---|
| Windows 10 21H2 | KB5099539 | 19044.7548 |
| Windows 10 22H2 | KB5099539 | 19045.7548 |
| Windows 11 24H2 | KB5101650 | 26100.8875 |
| Windows 11 25H2 | KB5101650 | 26200.8875 |
| Windows 11 26H1 | KB5101649 (July) | 28000.2269 (June boundary) |
| Windows Server 2025 (incl. Server Core) | KB5099536 | 26100.33158 |
Note: Windows 10 version 22H2 reached its general end of support on October 14, 2025. Organizations must have an active Extended Security Updates (ESU) subscription to receive this patch. For Windows 11 26H1, the corrected boundary is build 28000.2269 from June 2026, but the July update KB5101649 advances systems to 28000.2525, well past the vulnerable range. A fully updated 26H1 device is therefore protected.
Why This Flaw Matters Despite Its Local-Only Requirement
A common reaction to local-only vulnerabilities is to downrank them as non-critical, but information-disclosure flaws have a unique place in the attack chain. An attacker who gains even a low-privilege foothold on a system can use such a bug to snoop on sensitive data that might aid further compromise—think encryption keys, configuration details, or kernel memory structures that reveal attack surfaces. Microsoft hasn’t detailed exactly what information is exposed, but the high confidentiality rating signals that the data could be valuable.
Environments where multiple users share devices—like terminal servers, virtual desktop infrastructure, kiosks, or development machines—face elevated risk because an unauthorized local user could exploit the flaw to spy on other users or the system. Attackers who compromise a low-level account via phishing or a separate vulnerability could also leverage this disclosure to escalate their attack. While not a wormable threat, it’s a practical tool in the toolkit of any intruder.
What You Should Do Right Now
For home users and small offices: Open Windows Update, check for updates, and install the latest monthly rollup. Reboot when prompted. Then, confirm your version by typing “winver” in the Start menu and verifying that your build number matches or exceeds the fixed build for your Windows edition. If you’re on Windows 10 22H2 without ESU, consider upgrading to a supported version like Windows 11 to stay secure.
For IT administrators and security teams:
- Deploy immediately to high-value targets: Multi-user servers, admin workstations, and machines in shared-access scenarios should get the patch first. Use deployment rings to test compatibility with your software and drivers, but expedite the rollout.
- Verify compliance via build numbers: Don’t rely solely on update history; check the OS build through your endpoint management tools. For Windows 11 24H2 systems, you want build 26100.8875 or higher; for Server 2025, 26100.33158. If a machine shows a successful update but the build is lower, investigate stack servicing issues.
- Monitor for signs of local compromise: Since there are no specific indicators of compromise (IOCs) for this CVE, focus on detecting abnormal local executions, privilege escalation attempts, or suspicious access to driver interfaces.
- Windows 10 ESU: Confirm that your subscription is active and that KB5099539 has been applied.
Microsoft has not provided a workaround or mitigation that avoids patching. The only defense is installing the fix.
How We Got Here: A Regular Patch, an Unusual Spotlight
CVE-2026-50350 is one of dozens of vulnerabilities addressed in the July 2026 Patch Tuesday. It stands out because of its high confidentiality impact within a local context—a combination that often catches administrators off guard. Information-disclosure flaws in kernel-adjacent drivers appear periodically, and this one in the Trusted Runtime Interface Driver is a reminder that even components designed for trusted operations can harbor weaknesses.
Microsoft disclosed the vulnerability on July 14, 2026, and it is listed as confirmed by the assigning CVE Numbering Authority (Microsoft itself). The National Vulnerability Database is still enriching its entry, but the NVD’s initial analysis mirrors Microsoft’s assessment. No proof-of-concept code or active exploitation has been reported publicly, but that could change as more technical details emerge.
Outlook: A Patch Now, a Standalone Fix Later?
The absence of a configuration-based mitigation suggests Microsoft believes the underlying issue can only be resolved through a code fix in the cumulative update. Organizations that delay patching for testing reasons should not let this sit for long; the low attack complexity means any local execution vulnerability can be paired with it to increase damage. As attackers grow more sophisticated, such chaining becomes standard.
For now, the immediate task is straightforward: update, reboot, and verify. Keep an eye on the MSRC advisory as the NVD enriches its record—more details about the specific information exposed could help defenders craft targeted detections. But the core advice remains: patch early, verify build numbers, and treat local information-disclosure flaws as potential enablers for bigger breaches.