Microsoft’s July 14, 2026 security update seals a dangerous hole in Windows’ core cryptographic engine that could let intruders with minimal access pry open protected data. CVE-2026-55144, rated Important, lives in the Windows Cryptography API: Next Generation (CNG) and stems from a missing cryptographic step. Any local user – even with low privileges – can exploit it to tamper with confidential information, leaving no trace of a click or prompt.
The patch arrives via standard cumulative updates for Windows 11, Windows Server 2022, and Windows Server 2025. No workarounds exist, and the risk amplifies wherever multiple users or services share a machine. The clock starts now for admins to validate build numbers and lock down systems that handle encryption keys, certificates, or sensitive data pipelines.
The Vulnerability in Plain Terms
CVE-2026-55144 scores 7.1 out of 10 on the CVSS v3.1 scale, matching its dual impact of high confidentiality loss and high integrity loss. Microsoft classifies exploitation as “less likely” and has seen no public proof-of-concept or active attacks, but the technical underpinning is stark. A missing cryptographic operation – catalogued under CWE-325 – means the software omits a step that normally guarantees either the secrecy or authenticity of the data.
The company’s Security Update Guide is terse on specifics, as is the freshly published National Vulnerability Database entry, but the vector tells the story: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. An attacker needs local access and low privileges, finds no complexity in the attack, and doesn’t require a user to click a malicious file or accept a security prompt. The scope is unchanged, and availability is unaffected, but once inside, the attacker can both read and modify data that should be cryptographically shielded.
Practically, this isn’t a remote-code-execution nightmare that sprays the internet. It’s the kind of weakness an adversary uses after gaining a foothold – say, through a compromised service account, an insider with limited credentials, or malware that already wormed onto a workstation. On a shared server hosting multiple applications or on a developer’s rig where untrusted code tests alongside real keys, the threat escalates fast.
Which Systems Are Affected – and What the Fix Looks Like
Every currently supported client and server release needs this patch, and the patched build numbers are the only reliable sign of protection:
| Product | Patched Build |
|---|---|
| Windows 11 version 24H2 | 26100.8875 |
| Windows 11 version 25H2 | 26200.8875 |
| Windows 11 version 26H1 | 28000.2525 |
| Windows Server 2022 | 20348.5386 |
| Windows Server 2025 (Desktop, Server Core) | 26100.33158 |
Windows 11 24H2 and 25H2 receive the fix through KB5101650. The two editions share a servicing foundation, so the same cumulative package carries the CNG correction alongside dozens of other security and quality changes. Windows Server 2022 gets its own update: KB5099540. Both Server Core and Desktop Experience installations of Windows Server 2025 are covered, so minimal-interface systems are not exempt.
What about Windows 10? The advisory doesn’t list it, which aligns with the product’s end-of-life timeline. Organizations still running older releases will need to assess risk and accelerate migration plans.
Importantly, the CVE record’s build data was supplied directly by Microsoft and hasn’t yet been independently enriched by NIST’s National Vulnerability Database. That doesn’t weaken the advisory; Microsoft is the assigning CVE Numbering Authority and has marked the report as confirmed.
Why This Matters to You
For the home user: If you’re the only person using your Windows 11 PC and you keep it updated, the direct danger is low. The vulnerability requires an attacker to already have code running on your machine, which usually means you’ve been hit by something else first. Still, the July cumulative update includes this fix and dozens of other patches – install it now through Windows Update, reboot, and confirm you’re on the right build (26100.8875 or 26200.8875). Don’t let the “less likely” label lull you into a delay.
For IT administrators: This is where the urgency sharpens. If your organisation runs terminal servers, virtual desktops, build pipelines, jump hosts, or any multi-user Windows Server, the local access vector becomes a real door. A compromised service account, a disgruntled employee, or malware already present on a shared system could exploit CVE-2026-55144 to steal encryption keys, forge signed data, or decrypt protected content – all without needing admin rights. The prospect of a complete loss of confidentiality and integrity for data funneling through Windows CryptoAPI should set off alarm bells for security teams.
Consider these scenarios:
- A CI/CD toolchain running builds under a low-privilege service identity might be tricked into signing or tampering with release artifacts.
- An attacker with access to an RDS session host could intercept encrypted database connection strings or credential blobs.
- Virtual desktop environments where users share the same OS kernel could let one tenant pry into another’s cryptographic operations.
No mitigation exists beyond applying the patch. Microsoft hasn’t provided a registry tweak, a Group Policy toggle, or a firewall rule to block the exploit path. Until you update, the only defense is reducing the attack surface: enforce strong application control with WDAC or AppLocker, strip away unnecessary local accounts, ensure service accounts have minimal privileges, and restrict interactive logons on servers. Endpoint detection rules that flag unexpected CNG calls by non-trusted processes add a detective layer, though no CVE-specific detection pattern is available yet.
One immediate gotcha for Server 2022: Microsoft warns that a “limited number of devices” using an unrecommended combination of BitLocker Group Policy settings may be asked for a recovery key on the first restart after installing KB5099540. Verify that all recovery information is escrowed and accessible before you roll out the update to critical server groups. A server that won’t boot is a much more painful emergency than a cryptologic patch.
How We Got Here
The Windows CNG stack has been under the microscope for years. High-profile flaws like CurveBall (CVE-2020-0601) showed how a spoofed cryptographic certificate could undermine trust in the entire platform. Microsoft gradually hardened the API, but as this vulnerability demonstrates, even a single missing step in the cryptographic chain can leave a wide gap.
CVE-2026-55144 was discovered internally – the advisory credits no external researcher – and patched within the regular Patch Tuesday cycle. Its existence suggests that Microsoft’s own auditing or automated fuzzing found the gap, not an incident response. The classification as “Important” rather than “Critical” reflects the required local access and the lack of remote exploitation, but don’t mistake that for low severity in a defense-in-depth model.
Historically, attackers have combined such local privilege escalation or data-tampering bugs with code-execution flaws to build a complete kill chain. Patch management is no longer optional when physical or remote desktop access is enough to weaponize the vulnerability.
What You Should Do Right Now
- Apply the July 2026 cumulative update via Windows Update, Windows Server Update Services, Configuration Manager, or your preferred patch management tool. Do not defer this specific update beyond your normal test cycle.
- Check the build number after reboot with
winver, PowerShell (Get-ComputerInfo | Select-Object WindowsBuildNumber), or your endpoint management dashboard. Scanning tools that only report “latest updates installed” might miss machines stuck on an older build due to a failed installation. - For Server 2022 specifically, confirm BitLocker recovery keys are stored in Active Directory or your management vault before deploying KB5099540 to production. If you’ve deployed the recommended BitLocker policy settings, the issue is unlikely, but don’t gamble.
- Prioritize systems where local users or service accounts handle encryption, signing, or certificate operations. This includes certificate authorities, identity servers, build agents, file servers with Encrypting File System (EFS), and developer workstations.
- Review access controls even while patching. Remove obsolete accounts, restrict interactive logon rights, and segment sensitive systems so that a compromise on one machine doesn’t cascade into a crypto nightmare.
- Keep an eye on Microsoft’s Known Issues list for the corresponding KB articles. If exploitation in the wild emerges, Microsoft will update the advisory, and threat intelligence feeds will flag indicators.
The Bigger Picture
CVE-2026-55144 won’t dominate headlines like a remote zero-click flaw, but it chips away at a foundation Windows relies on everywhere – from HTTPS connections to Secure Boot. The fix is small, the affected update is routine, yet the consequences of skipping it could be vast for anyone managing shared Windows infrastructure.
The July 2026 patch bundle also addresses other vulnerabilities, so this one shouldn’t be treated in isolation. Roll it out as a block, but ensure your compliance reports zero-in on the cryptographic build: 26100.8875 for 24H2, 26200.8875 for 25H2, 20348.5386 for Server 2022, and 26100.33158 for Server 2025. In cybersecurity, “less likely” is still a risk you don’t have to take.